Many things about this are not good
Final update: I knew it… Here is the email I just got a few minutes ago from my hosting service:
Nope, don’t need them, as I know exactly what they are: they are randomly named directories, most likely contaiing at least a file named w.txt, and were uploaded from a machine in China, directly via FTP to your site (and probably dated Oct 24 and Oct 26). As you might imagine, all of this does not mean that I’m psychic: it means your password was cracked, and you need to change it ASAP. We’ve been going through the logs finding the people affected, as it looks like someone just ran a massive user/password combo dictionary type attack on various machines, and either got in that way, or logged in directly via the use of an FTP password sniffer (which would mean a client side machine somewhere is infected with a trojan - usually the result of an outdated copy of the adobe acrobat reader that has been exploited). Removing the files is fine and exactly what you should have done; we’ve already added the IP we captured to the network wide deny list. This doesn’t mean that someone won’t try again, only that the one host we foundd in common can no longer access anything here. Too bad for them.
So, two things: make sure the apps you have installed locally on your machine are up to date, particularly acrobat reader and filezilla, if you use it, and number two, change your password from that option in the control panel.
I’m putting this up here for anyone else on Hosting Matters, or heck, any other hosting service—check your server file system! Because I also had that w.txt file they were talking about in there. I’m putting the rest of the entry under the break and deleting the code as well.
Update: I decided to remove the folders and their contents. The tech support people still haven’t contacted me and I don’t know what the files were for or what they could be doing. I copied them to my hard drive (I don’t have php installed on my home computer so they shouldn’t be harmful) in case they ever get around to contacting me and want to see the files.
I opened my ftp program today, preparatory to the start of my site move, and what did I find? Three folders with weird names with php scripts containing ominous commands like “get user” in them. I turned off permissions to all three folders and fired off an email to my hosting provider, and checked my old blog installs to see if mischief was afoot. So far nothing else has turned up, but who knows what’s going on?
(code removed)
Fucking China. This is the thanks we get for buying their cheap crap at Walmart?
OK, it’s been three and a half hours and no feedback. I’m a little miffed.
Posted by (JavaScript must be enabled to view this email address) on 10/29 at 02:20 PMSorry, but I’m not a PHP guru so I can’t tell is this is a legitimate script or a trojan. But I’d trust your instincts given how much work with these you’ve done.
Posted by (JavaScript must be enabled to view this email address) on 10/29 at 03:59 PMLooks like an exploit to me.
I found some crap like that at my own place, two directory levels below the places where I’m usually moving stuff. I duly excised it.
Posted by CGHill on 10/29 at 07:58 PMYeah, I think so too. I’ve also been getting spam comments that are gobbledygook too. And I’ve noticed a lot of server slowdowns lately—I don’t know if the two are related.
Posted by (JavaScript must be enabled to view this email address) on 10/29 at 08:26 PMI didn’t get a good look at the code, but based on a brief glance it looked like a shrouded bot thing. That is, they installed a PHP script on your host, when they then use to attack other hosts. When those attacks get traced back, you’re left in the lurch. Plus, it lets them get around the kind of IP banning your webhost set up.
Posted by Annoying Old Guy on 10/29 at 09:19 PMYeah, that’s what it sounds like. Anyway, I’ve deleted the files from my server and from my hard drive (where I had saved them in case anyone wanted to examine them). I also emptied my recycle bin. And I changed my password. And so on.
Posted by (JavaScript must be enabled to view this email address) on 10/29 at 09:25 PMHi,
I also find exactly same files, with different names on one of my site. The good thing, I had a htaccess rule to deny all request as site is under development, so it somehow managed to get onto my server, but didn’t managed to execute itself. so no w.txt for me
I’m not sure, but did it altered any of your php files to inject any JS or other code in them?
I have also sent an email to my host to take a look on these files.
I will post updates if I get some more useful info on this.
// chall3ng3r //
Posted by chall3ng3r on 10/30 at 01:47 AMSo far I don’t think any weird code has been put in any of my other files but I’ll keep checking.
Posted by (JavaScript must be enabled to view this email address) on 10/30 at 08:39 AM
Next entry: Opinions are needed
Previous entry: And they wonder why women are still messed up in the head