SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,412
    Mentioned
    81 Post(s)
    Tagged
    3 Thread(s)

    Strange text file urls including ~ in awstats download section

    I have just noticed in one of my websites I have some strange URL's in the download section; they are all of this format:
    Code:
    http://website.co.uk/~bakeries/media/editors/hlb.com.my/login.do_files/android.txt
    I have checked the server and can not see any strange files and it is a shared host.

    Any ideas what it means and what to do next?

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,656
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Rubble,

    Have you checked the content of your website for hacker code? IMHO, you need to do that ASAP!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,412
    Mentioned
    81 Post(s)
    Tagged
    3 Thread(s)
    Thank you dklynn I will have another look later; as I say I could not see anything wrong last night.
    There were only 4 downloads of each file and they were in last months awstats.

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,656
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Rubble,

    The reason I recommended that you LOOK at the code of the "funny" requests is that they likely contain javascript code which downloads nefarious code to run on your site (as YOU!). There are other threads here which go through the number of steps which you must then go through to clean-up your website and keep the hackers off.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As an initial step, you could check if google has detected anything untowards on your site at the following link:
    google.com/safebrowsing/diagnostic?site=yourwebsite.com
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  6. #6
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,412
    Mentioned
    81 Post(s)
    Tagged
    3 Thread(s)
    After a bit of a delay I can not find a problem - all the files look OK and there are no strange files except one left by the hosts when they were doing a test in may!
    The hosts also seem happy there is not a problem and I do not know what happened.
    I have searched for variations of the link and can not find anything useful.

    Your google link did not report anything 2ndmouse and so I will just keep a close watch on the site.

  7. #7
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,656
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Rubble,

    There is an older thread here which got me to create my own hash of validated files and use a CRON job every day to compare the online version's hash with the stored hash. If you're paranoid (as you should be, IMHO), it's worth doing something like this for peace of mind.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  8. #8
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,412
    Mentioned
    81 Post(s)
    Tagged
    3 Thread(s)
    There is an older thread here which got me to create my own hash of validated files and use a CRON job every day to compare the online version's hash with the stored hash. If you're paranoid (as you should be, IMHO), it's worth doing something like this for peace of mind.
    That is interesting and I will look for the thread. I also use a VPS and that must do as you say as I get emails from it every now and again when either files are updated by control panel or files capable of sending emails are uploaded.

  9. #9
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,656
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Rubble,

    I'd created my own script (it e-mails me either a no change or informs which which files have been added, altered or deleted.

    I'm pleasantly surprised that your VPS will do that automatically (upon change or with a mailto: directive). If you can determine the name of the host's script, that would be well worth posting here.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  10. #10
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,412
    Mentioned
    81 Post(s)
    Tagged
    3 Thread(s)
    This is an example of the email I recive:
    Time: Fri Sep 21 19:38:20 2012 +0100

    The following list of files have FAILED the md5sum comparision test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

    /usr/sbin/csf: FAILED
    /usr/sbin/lfd: FAILED
    I have a feeling this may be the software: http://www.configserver.com/cp/csf.html

    Edit the Directory File Watching file (csf.dirwatch) - all listed files and directories will be watched for changes by lfd
    I do not currently have any files in the list - I wonder if it is using something from cpanel. When I get a bit of time I will add a file and see what happens. May need to find more info of what is what first.

  11. #11
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,656
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Thank you for posting that link - I'll have to look at it in the morning.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •