PHP exploit in tiny_mce, htmlpurifier and theme/hesk3

[paratodos.pro]

Script URL: https://peticiones.paratodos.pro/
Version of script: 3.4.2
Hosting company: Raiola Networks (spain)
URL of phpinfo.php: https://peticiones.paratodos.pro/phpinfo.php
URL of session_test.php: https://peticiones.paratodos.pro/session_test.php
What terms did you try when SEARCHING for a solution:
- exploit php Help Desk Software HESK
- exploit php HESK
- tiny_mce exploit php

Write your message below:

Hello everyone.

Several times my hosting provider inform me that we have malware in the HESK folder.

This time they are those:

• /inc/htmlpurifier/standalone/HTMLPurifier/class.php | [PHP Exploit]

• /inc/tiny_mce/5.10.5/icons/type.php | [PHP Exploit]

• /inc/tiny_mce/5.10.5/skins/ui/oxide-dark/fonts/library.php | [PHP Exploit]

• /inc/tiny_mce/5.10.5/skins/ui/oxide/fonts/defense.php | [PHP Exploit]

• /inc/tiny_mce/5.10.6/skins/ui/oxide-dark/fonts/security.php | [PHP Exploit]

• /theme/hesk3/customer/create-ticket/module.php | [PHP Exploit]

The tiny_mce is easy, i will remove the folders because we don't use it. But I dont know how to clean and protect they.

Thanks for help me.

[Klemen]

The files you mention are not from Hesk, someone created them there. It's a standard tactic hackers use when trying to hide their activity/initial attack vector and install backdoors on the servers.

I recommend that you:
- change all your passwords, starting with your FTP (web hosting) password
- update all the software you run on the server
- delete all files not included with original software