After a google search or two, I found a research paper where someone spent two years tracking something called Asprox botnet and the paper also referenced the exact same $remote= same ip address, that I found.
Hopefully this is an easy fix.
Problem Description :: Forum Post Assistant (v1.2.8) : 7th March 2017 wrote:found strange php pages in root with remote ip adress
Forum Post Assistant (v1.2.8) : 7th March 2017 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.19-Stable (Ember) 6-March-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 9004202 (uid: /gid: ) | Group: 100450 (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 1 | Cache: 2 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.32-604.30.3.lve1.3.63.el6.nfsfixes.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/chroot/home/content/02/9004202/html | System TMP Writable: Yes
PHP Configuration :: Version: 5.3.24 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 33M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M
MySQL Configuration :: Version: 5.0.96-log (Client:5.5.19) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 1.91 MiB | #of Tables: 83Detailed Environment :: wrote:PHP Extensions :: Core (5.3.24) | date (5.3.24) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | apc (3.1.13) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | imagick (3.1.0RC2) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | session () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | standard (5.3.24) | pspell () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | Phar (2.0.1) | SimpleXML (0.1) | soap () | SQLite (2.0-dev) | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: MaybeFolder Permissions :: wrote:Core Folders :: images/ (705) | components/ (705) | modules/ (705) | plugins/ (705) | language/ (705) | templates/ (705) | cache/ (705) | logs/ (705) | tmp/ (705) | administrator/components/ (705) | administrator/modules/ (705) | administrator/language/ (705) | administrator/templates/ (705) |
Elevated Permissions (First 10) ::Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) 1 | com_wrapper (2.5.0) 1 |
Components :: ADMIN :: com_admin (2.5.0) 1 | Akeeba (4.7.4) 1 | com_banners (2.5.0) 1 | com_cache (2.5.0) 1 | com_categories (2.5.0) 1 | com_checkin (2.5.0) 1 | com_config (2.5.0) 1 | com_content (2.5.0) 1 | com_cpanel (2.5.0) 1 | com_finder (2.5.0) 1 | com_installer (2.5.0) 1 | com_joomlaupdate (2.5.0) 1 | com_languages (2.5.0) 1 | com_login (2.5.0) 1 | com_media (2.5.0) 1 | com_menus (2.5.0) 1 | com_messages (2.5.0) 1 | com_modules (2.5.0) 1 | com_newsfeeds (2.5.0) 1 | com_plugins (2.5.0) 1 | com_redirect (2.5.0) 1 | com_search (2.5.0) 1 | com_templates (2.5.0) 1 | com_users (2.5.0) 1 | com_weblinks (2.5.0) 1 | Admintools (3.4.4) 1 |
Modules :: SITE :: mod_articles_archive (2.5.0) 1 | mod_articles_categories (2.5.0) 1 | mod_articles_category (2.5.0) 1 | mod_articles_latest (2.5.0) 1 | mod_articles_news (2.5.0) 1 | mod_articles_popular (2.5.0) 1 | mod_banners (2.5.0) 1 | mod_breadcrumbs (2.5.0) 1 | mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_finder (2.5.0) 1 | mod_footer (2.5.0) 1 | mod_languages (2.5.0) 1 | mod_login (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_random_image (2.5.0) 1 | mod_related_items (2.5.0) 1 | mod_search (2.5.0) 1 | mod_stats (2.5.0) 1 | mod_syndicate (2.5.0) 1 | mod_users_latest (2.5.0) 1 | mod_weblinks (2.5.0) 1 | mod_whosonline (2.5.0) 1 | mod_wrapper (2.5.0) 1 |
Modules :: ADMIN :: mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_latest (2.5.0) 1 | mod_logged (2.5.0) 1 | mod_login (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_multilangstatus (2.5.0) 1 | mod_popular (2.5.0) 1 | mod_quickicon (2.5.0) 1 | mod_status (2.5.0) 1 | mod_submenu (2.5.0) 1 | mod_title (2.5.0) 1 | mod_toolbar (2.5.0) 1 | mod_version (2.5.0) 1 |
Plugins :: SITE :: plg_authentication_gmail (2.5.0) 0 | plg_authentication_joomla (2.5.0) 1 | plg_authentication_ldap (2.5.0) 0 | plg_captcha_recaptcha (2.5.0) 1 | plg_content_emailcloak (2.5.0) 1 | plg_content_finder (2.5.0) 0 | plg_content_geshi (2.5.0) 0 | plg_content_joomla (2.5.0) 1 | plg_content_loadmodule (2.5.0) 1 | plg_content_pagebreak (2.5.0) 1 | plg_content_pagenavigation (2.5.0) 1 | plg_content_vote (2.5.0) 1 | plg_editors-xtd_article (2.5.0) 1 | plg_editors-xtd_image (2.5.0) 1 | plg_editors-xtd_pagebreak (2.5.0) 1 | plg_editors-xtd_readmore (2.5.0) 1 | plg_editors_codemirror (1.0) 1 | plg_editors_tinymce (3.5.4.1) 1 | plg_extension_joomla (2.5.0) 1 | plg_finder_categories (2.5.0) 1 | plg_finder_contacts (2.5.0) 1 | plg_finder_content (2.5.0) 1 | plg_finder_newsfeeds (2.5.0) 1 | plg_finder_weblinks (2.5.0) 1 | PLG_JMONITORING_AKEEBABACKUP_T (1.0) 1 | plg_quickicon_extensionupdate (2.5.0) 1 | plg_quickicon_joomlaupdate (2.5.0) 1 | plg_quickicon_akeebabackup (1.0) 1 | plg_search_categories (2.5.0) 1 | plg_search_contacts (2.5.0) 1 | plg_search_content (2.5.0) 1 | plg_search_newsfeeds (2.5.0) 1 | plg_search_weblinks (2.5.0) 1 | plg_system_cache (2.5.0) 0 | plg_system_debug (2.5.0) 1 | plg_system_highlight (2.5.0) 1 | plg_system_languagecode (2.5.0) 0 | plg_system_languagefilter (2.5.0) 0 | plg_system_log (2.5.0) 1 | plg_system_logout (2.5.0) 1 | plg_system_p3p (2.5.0) 1 | plg_system_redirect (2.5.0) 1 | plg_system_remember (2.5.0) 1 | plg_system_sef (2.5.0) 1 | Security - jHackGuard (1.4.2) 1 | System - Admin Tools (3.4.4) 1 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | plg_user_contactcreator (2.5.0) 0 | plg_user_joomla (2.5.0) 1 | plg_user_profile (2.5.0) 0 |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) 1 | beez5 (2.5.0) 1 | beez_20 (2.5.0) 1 | TR_Neutrino (v1.1) 1 |
Templates :: ADMIN :: bluestork (2.5.0)