I have just noticed in one of my websites I have some strange URL’s in the download section; they are all of this format:
http://website.co.uk/~bakeries/media/editors/hlb.com.my/login.do_files/android.txt
I have checked the server and can not see any strange files and it is a shared host.
Any ideas what it means and what to do next?
Rubble,
Have you checked the content of your website for hacker code? IMHO, you need to do that ASAP!
Regards,
DK
Thank you dklynn I will have another look later; as I say I could not see anything wrong last night.
There were only 4 downloads of each file and they were in last months awstats.
Rubble,
The reason I recommended that you LOOK at the code of the “funny” requests is that they likely contain javascript code which downloads nefarious code to run on your site (as YOU!). There are other threads here which go through the number of steps which you must then go through to clean-up your website and keep the hackers off.
Regards,
DK
As an initial step, you could check if google has detected anything untowards on your site at the following link:
google.com/safebrowsing/diagnostic?site=yourwebsite.com
After a bit of a delay I can not find a problem - all the files look OK and there are no strange files except one left by the hosts when they were doing a test in may!
The hosts also seem happy there is not a problem and I do not know what happened.
I have searched for variations of the link and can not find anything useful.
Your google link did not report anything 2ndmouse and so I will just keep a close watch on the site.
Rubble,
There is an older thread here which got me to create my own hash of validated files and use a CRON job every day to compare the online version’s hash with the stored hash. If you’re paranoid (as you should be, IMHO), it’s worth doing something like this for peace of mind.
Regards,
DK
There is an older thread here which got me to create my own hash of validated files and use a CRON job every day to compare the online version’s hash with the stored hash. If you’re paranoid (as you should be, IMHO), it’s worth doing something like this for peace of mind.
That is interesting and I will look for the thread. I also use a VPS and that must do as you say as I get emails from it every now and again when either files are updated by control panel or files capable of sending emails are uploaded.
Rubble,
I’d created my own script (it e-mails me either a no change or informs which which files have been added, altered or deleted.
I’m pleasantly surprised that your VPS will do that automatically (upon change or with a mailto: directive). If you can determine the name of the host’s script, that would be well worth posting here.
Regards,
DK
This is an example of the email I recive:
Time: Fri Sep 21 19:38:20 2012 +0100
The following list of files have FAILED the md5sum comparision test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
/usr/sbin/csf: FAILED
/usr/sbin/lfd: FAILED
I have a feeling this may be the software: http://www.configserver.com/cp/csf.html
Edit the Directory File Watching file (csf.dirwatch) - all listed files and directories will be watched for changes by lfd
I do not currently have any files in the list - I wonder if it is using something from cpanel. When I get a bit of time I will add a file and see what happens. May need to find more info of what is what first.
Thank you for posting that link - I’ll have to look at it in the morning.
Regards,
DK