Something is renaming php files to .php.suspected; I'm trying to find out what
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
Related:
https://serverfault.com/questions/748417/something-renames-files-to-filename-ext-suspected
https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected
I have a customer with a webhosting server that's running linux who is suffering from this problem. It is not a Wordpress site, although he does run Wordpress sites on that same server.
We're both aware of the problem and that some of those files do indeed have malware content - however, there are also some false positives, and they are affecting the site's functioning (by rendering include files unreadable), so he's asking me to track down which part of the installed software is doing this and to put a stop to it.
Trouble is, I'm not 100% sure what is causing the rename and why. I suspect clamav/amavis because it's in their purview, but nothing in cron really springs out to me as a possible cause for what appear to be weekly scans...
php malware clamav
edited May 23 '17 at 12:40
Community♦
1
asked Mar 13 '17 at 10:37
Shadur
19.2k64357
add a comment |
up vote
3
down vote
favorite
Related:
https://serverfault.com/questions/748417/something-renames-files-to-filename-ext-suspected
https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected
I have a customer with a webhosting server that's running linux who is suffering from this problem. It is not a Wordpress site, although he does run Wordpress sites on that same server.
We're both aware of the problem and that some of those files do indeed have malware content - however, there are also some false positives, and they are affecting the site's functioning (by rendering include files unreadable), so he's asking me to track down which part of the installed software is doing this and to put a stop to it.
Trouble is, I'm not 100% sure what is causing the rename and why. I suspect clamav/amavis because it's in their purview, but nothing in cron really springs out to me as a possible cause for what appear to be weekly scans...
php malware clamav
edited May 23 '17 at 12:40
Community♦
1
asked Mar 13 '17 at 10:37
Shadur
19.2k64357
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
Related:
https://serverfault.com/questions/748417/something-renames-files-to-filename-ext-suspected
https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected
I have a customer with a webhosting server that's running linux who is suffering from this problem. It is not a Wordpress site, although he does run Wordpress sites on that same server.
We're both aware of the problem and that some of those files do indeed have malware content - however, there are also some false positives, and they are affecting the site's functioning (by rendering include files unreadable), so he's asking me to track down which part of the installed software is doing this and to put a stop to it.
Trouble is, I'm not 100% sure what is causing the rename and why. I suspect clamav/amavis because it's in their purview, but nothing in cron really springs out to me as a possible cause for what appear to be weekly scans...
php malware clamav
edited May 23 '17 at 12:40
Community♦
1
asked Mar 13 '17 at 10:37
Shadur
19.2k64357
Related:
https://serverfault.com/questions/748417/something-renames-files-to-filename-ext-suspected
https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected
I have a customer with a webhosting server that's running linux who is suffering from this problem. It is not a Wordpress site, although he does run Wordpress sites on that same server.
We're both aware of the problem and that some of those files do indeed have malware content - however, there are also some false positives, and they are affecting the site's functioning (by rendering include files unreadable), so he's asking me to track down which part of the installed software is doing this and to put a stop to it.
Trouble is, I'm not 100% sure what is causing the rename and why. I suspect clamav/amavis because it's in their purview, but nothing in cron really springs out to me as a possible cause for what appear to be weekly scans...
php malware clamav
php malware clamav
edited May 23 '17 at 12:40
Community♦
1
asked Mar 13 '17 at 10:37
Shadur
19.2k64357
edited May 23 '17 at 12:40
Community♦
1
asked Mar 13 '17 at 10:37
Shadur
19.2k64357
edited May 23 '17 at 12:40
Community♦
1
edited May 23 '17 at 12:40
Community♦
1
edited May 23 '17 at 12:40
Community♦
1
1
asked Mar 13 '17 at 10:37
Shadur
19.2k64357
asked Mar 13 '17 at 10:37
Shadur
19.2k64357
asked Mar 13 '17 at 10:37
Shadur
19.2k64357
19.2k64357
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
2
down vote
accepted
Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...
Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:
auditctl -a exit,always -S rename -F dir=/var/www
The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:
type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
answered Mar 14 '17 at 1:40
Gilles
524k12610471577
I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
– Shadur
Mar 14 '17 at 9:57
@Shadur Works for me (test scenario:touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e./var/log/audit/audit.log(I forgot to mention that in my answer)?
– Gilles
Mar 14 '17 at 21:55
Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
– Shadur
Mar 15 '17 at 12:42
@Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
– Gilles
Mar 15 '17 at 13:18
add a comment |
up vote
0
down vote
I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:
find <web site root> -name '*.suspected' -print
find <web site root> -name '.*.ico' -print
In the case I have seen, the infected files could be located with the following commands:
cd <web site root>
egrep -Rl '$GLOBALS.*\x'
egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'
I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.
answered Nov 27 at 17:31
Javier Elices
1012
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...
Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:
auditctl -a exit,always -S rename -F dir=/var/www
The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:
type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
answered Mar 14 '17 at 1:40
Gilles
524k12610471577
I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
– Shadur
Mar 14 '17 at 9:57
@Shadur Works for me (test scenario:touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e./var/log/audit/audit.log(I forgot to mention that in my answer)?
– Gilles
Mar 14 '17 at 21:55
Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
– Shadur
Mar 15 '17 at 12:42
@Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
– Gilles
Mar 15 '17 at 13:18
add a comment |
up vote
2
down vote
accepted
Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...
Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:
auditctl -a exit,always -S rename -F dir=/var/www
The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:
type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
answered Mar 14 '17 at 1:40
Gilles
524k12610471577
I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
– Shadur
Mar 14 '17 at 9:57
@Shadur Works for me (test scenario:touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e./var/log/audit/audit.log(I forgot to mention that in my answer)?
– Gilles
Mar 14 '17 at 21:55
Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
– Shadur
Mar 15 '17 at 12:42
@Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
– Gilles
Mar 15 '17 at 13:18
add a comment |
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...
Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:
auditctl -a exit,always -S rename -F dir=/var/www
The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:
type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
answered Mar 14 '17 at 1:40
Gilles
524k12610471577
Use a file change audit mechanism such as LoggedFS or Linux's audit subsystem. See also How to determine which process is creating a file?, Log every invocation of every SUID program?, Stump the Chump with Auditd 01...
Assuming that the server is running Linux, the audit system looks like the best solution. Log all file renaming operations in the relevant directory tree, e.g. /var/www:
auditctl -a exit,always -S rename -F dir=/var/www
The audit logs are normally in /var/log/audit/audit.log. Here's a sample log from cd /var/www; mv foo bar with the rule above:
type=SYSCALL msg=audit(1489528471.598:669): arch=c000003e syscall=82 success=yes exit=0 a0=7ffd38079c14 a1=7ffd38079c18 a2=20 a3=7ffd38077940 items=4 ppid=5661 pid=5690 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="mv" exe="/bin/mv" key=(null)
type=CWD msg=audit(1489528471.598:669): cwd="/var/www"
type=PATH msg=audit(1489528471.598:669): item=0 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=1 name="/var/www" inode=22151424 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1489528471.598:669): item=2 name="foo" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1489528471.598:669): item=3 name="bar" inode=22152394 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
answered Mar 14 '17 at 1:40
Gilles
524k12610471577
edited Mar 15 '17 at 13:17
answered Mar 14 '17 at 1:40
Gilles
524k12610471577
answered Mar 14 '17 at 1:40
Gilles
524k12610471577
answered Mar 14 '17 at 1:40
Gilles
524k12610471577
524k12610471577
I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
– Shadur
Mar 14 '17 at 9:57
@Shadur Works for me (test scenario:touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e./var/log/audit/audit.log(I forgot to mention that in my answer)?
– Gilles
Mar 14 '17 at 21:55
Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
– Shadur
Mar 15 '17 at 12:42
@Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
– Gilles
Mar 15 '17 at 13:18
add a comment |
I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
– Shadur
Mar 14 '17 at 9:57
@Shadur Works for me (test scenario:touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e./var/log/audit/audit.log(I forgot to mention that in my answer)?
– Gilles
Mar 14 '17 at 21:55
Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
– Shadur
Mar 15 '17 at 12:42
@Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
– Gilles
Mar 15 '17 at 13:18
I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
– Shadur
Mar 14 '17 at 9:57
I ran that command (modified to have arch=x68_64 ) and then created and moved a file, didn't get any log messages about it.
– Shadur
Mar 14 '17 at 9:57
@Shadur Works for me (test scenario:
touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?– Gilles
Mar 14 '17 at 21:55
@Shadur Works for me (test scenario:
touch /var/www/foo; mv /var/www/foo /var/www/bar). Did you check the proper log file, i.e. /var/log/audit/audit.log (I forgot to mention that in my answer)?– Gilles
Mar 14 '17 at 21:55
Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
– Shadur
Mar 15 '17 at 12:42
Correction. I've gotten audit logging of the event; however, I'm no further toward discovering who made the change or how it was done, as apparently it doesn't record PID/process name and/or UID of the cause...
– Shadur
Mar 15 '17 at 12:42
@Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
– Gilles
Mar 15 '17 at 13:18
@Shadur Uh? The audit logs do contain the PID and the path of the executable. I added a sample log entry to my answer. Do you get something different?
– Gilles
Mar 15 '17 at 13:18
add a comment |
up vote
0
down vote
I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:
find <web site root> -name '*.suspected' -print
find <web site root> -name '.*.ico' -print
In the case I have seen, the infected files could be located with the following commands:
cd <web site root>
egrep -Rl '$GLOBALS.*\x'
egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'
I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.
answered Nov 27 at 17:31
Javier Elices
1012
add a comment |
up vote
0
down vote
I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:
find <web site root> -name '*.suspected' -print
find <web site root> -name '.*.ico' -print
In the case I have seen, the infected files could be located with the following commands:
cd <web site root>
egrep -Rl '$GLOBALS.*\x'
egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'
I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.
answered Nov 27 at 17:31
Javier Elices
1012
add a comment |
up vote
0
down vote
up vote
0
down vote
I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:
find <web site root> -name '*.suspected' -print
find <web site root> -name '.*.ico' -print
In the case I have seen, the infected files could be located with the following commands:
cd <web site root>
egrep -Rl '$GLOBALS.*\x'
egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'
I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.
answered Nov 27 at 17:31
Javier Elices
1012
I know the question was asked some time ago, but the renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:
find <web site root> -name '*.suspected' -print
find <web site root> -name '.*.ico' -print
In the case I have seen, the infected files could be located with the following commands:
cd <web site root>
egrep -Rl '$GLOBALS.*\x'
egrep -Rl -Ezo '/*(w+)*/s*@includes*[^;]+;s*/*'
egrep -Rl -E '^.+($_COOKIE|$_POST).+eval.+$'
I have prepared a longer description of the problem I have seen and how to deal with it at GitHub. I suspect that many variants of this malware have been showing up in the past. The way they infect a web site depends on the CMS used and the vulnerabilities available at the time of the attack. In this case, it was most likely Drupalgeddon2.
answered Nov 27 at 17:31
Javier Elices
1012
answered Nov 27 at 17:31
Javier Elices
1012
answered Nov 27 at 17:31
Javier Elices
1012
answered Nov 27 at 17:31
Javier Elices
1012
1012
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f351085%2fsomething-is-renaming-php-files-to-php-suspected-im-trying-to-find-out-what%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
