Scenario

During our regular monitoring, we discovered that a domain hosted on a client’s server was compromised. Attackers created a deep, hidden directory within the site’s file structure to host a fraudulent financial login page. This infrastructure hijacking was used to deploy a phishing kit targeting financial services. By nesting this malicious page within a client’s existing, trusted domain, the attackers aimed to make the fake portal appear legitimate to victims and bypass standard security filters.

Technical Analysis: How was the environment exploited?

The client’s server hosts multiple sites. Our investigation revealed that attackers gained unauthorized access to one specific domain’s underlying file system via File Transfer Protocol (FTP), a standard network protocol used for the transfer of computer files between a client and server.

By extracting and analyzing FTP login sessions, we correlated specific timestamps with the creation of unauthorized files within that specific domain’s root web directory.

Once authenticated, the attacker uploaded the financial phishing kit. To evade detection by the client’s web administrators, the attacker utilized directory obfuscation, creating an intentionally complex and deep path of subdirectories.

Furthermore, the attacker deployed obfuscated PHP scripts and backdoors. These files allow the attacker to maintain persistent, undetected access to the client’s specific domain even if the initially compromised FTP password is changed.

IOC (Indicators of Compromise)

The following artifacts were identified during the investigation:

• Malicious Directory Path: /home/[domain]/public_html/hanaey
• Active Phishing URL: https://[domain]/hanaey/data_verificion/[Target_Financial_Institution]/ServiceSecure/italy/Verification/ing‑it/ing‑it/client/login.php
• Suspicious Backdoor Files:
  • bypassserv.php
  • sbz_.php
  • send_.php
  • sub_*.php
• Malicious IP Addresses (FTP Uploaders): Multiple unauthorized IP addresses were identified and logged during the FTP session analysis.

Remediation

To contain the threat and restore secure operations for the client, the following actions were immediately executed:

1. Forensic Backup: Created a full backup of the entire compromised public_html directory. This was isolated into a tar archive for safe, offline analysis.
2. Environment Recreation: Removed the current virtual host for the domain and re‑provisioned it entirely from scratch. This ensures all hidden backdoors and unauthorized modifications are completely eradicated.
3. Service Verification: Conducted system checks to verify that backend services on the broader server infrastructure, including Oracle APEX (via ORDS) and the Oracle Database, remained uncompromised and are functioning normally.
4. Ongoing Investigation: The archived public_html.tar.gz backup will be downloaded into a secure sandbox to strictly validate its contents, analyze the malicious PHP scripts, and confirm which original files remain legitimate.

Conclusion

This incident highlights the critical importance of monitoring and securing all server access vectors, including administrative protocols like FTP, regardless of the primary application hosted on the server. By quickly identifying the malicious redirects and directory obfuscation, isolating the compromised files, and entirely rebuilding the client’s affected environment, we were able to neutralize the threat, remove the attacker’s persistent backdoors, and secure the domain against further unauthorized activity.