Jump to content
xisto Community
Sign in to follow this  
shadowx

Strange Folders In My Web Root Folder. Security Breach?

Recommended Posts

Updating my site and looking through the logs my eye caught a visit to a page called "klux.php" i viewed the file which was in a subfolder under "iqici" and as i suspected it was full of references to the KKK.Needless to say this isnt something i want on my website.So i looked at the folder and saw a few strange files as well as the folder where the klux.php file is, looking in there its just a huge alphabetical list of .php pages with usually innocuous names. What the hell is this?The logs state that various bots have crawled the pages but i really want to know how they got there and who from.My password is secure and the only machine i have it saved on is a linux laptop that sits behind a NAT enabled router with 3 other windows boxes all of which are clean of malware (as far as i know)I have logged in at work however we have Sophos AV and a router based firewall and i am a network admin so i know it isnt being sniffed by anyone else deliberately (its a school, these kids dont have the knowledge to sniff an entire network) so how did it get there?I hope some other hosted members can check their own accounts for folders in the web root (the WWW folder or public_html) for the folder iqici and let me know if it is there.If this is a folder put in by xisto i will be very, very annoyed.I have placed the folder in my deleted items bin so it is not accessible and i am about to change my password to make sure that is not the cause.

Share this post


Link to post
Share on other sites

Wow, that is really weird. I hope it wasn't put there by Xisto. I tried searching for something about it, and no related articles come up. I would make sure someone is nothacking into your website, or you don't have malicious programs on your computer, because if that was accessible to the public, it would have made your website look really bad. It would be tough to explain *that* one.

Share this post


Link to post
Share on other sites

Yeah, KK Klan as they like to call themselves. They are nothing but script kiddies in that group. Don't worry. Make sure you put in advanced security onto any admin/index.php file you have mate. If you'd like me to code a script that allows only you to get in, PM me.

Share this post


Link to post
Share on other sites

That all sounds pretty creepy. I hate racists a lot. I guess you could say I'm racists against racists. :) Anyways as Sky said you shouldn't really have any major problems. Its still really weird. Why even take the time to do something like that?

Share this post


Link to post
Share on other sites

Interesting.... My scripts are secure, the only php login stuff i have is for my gallery, i use a dynamic: index.php?module=home type system but it doesnt include files straight from the URL, it looks at the variable then uses a switch case statement to assign a second variable which is the name of the file to include, if it doesnt match a known file it will include the default so that is secure.The gallery isnt made by me but seems to be secure.My Pc should be clean as it is linux and behind NAT so that shouldnt be the weakness and my password was a combo of two completely unrelated words (technically one is a name) separated by 2 numbers so that should be strong.Can any mods shed any light on this?

Share this post


Link to post
Share on other sites

Ohh, this is not good and this is definitely not from xisto. I suggest immediately sending a support ticket to xisto from Xisto - Support.com.Please give the following details :-1. Cpanel username and password2. Domain NameWe will check the server for any possibility of infection.Thanks,Shree

Share this post


Link to post
Share on other sites

wow... my guess is that you had a vulnerability and someone took advantage of it
OR someone somehow got your password when you used the school computer. sure their kids but some are smart!

The logs state that various bots have crawled the pages but i really want to know how they got there and who from.

what do you mean? search engine bots? those are normal for various search engines to index your pages and are harmless

Basically what you need to do when you have a website is try to hack it yourself, I mean really try to gain access to it without actually using a password, this helps you find vulnerabilities and fix them

Share this post


Link to post
Share on other sites

Updating my site and looking through the logs my eye caught a visit to a page called "klux.php" i viewed the file which was in a subfolder under "iqici" and as i suspected it was full of references to the KKK.
So i looked at the folder and saw a few strange files as well as the folder where the klux.php file is, looking in there its just a huge alphabetical list of .php pages with usually innocuous names.

Hmm, i think that happened to me too, but i can't remember. I can't remember which folder, so i can't say if it was chmodded to 0777 or not. I passed it off as nothing to worry about, though.

Checking my logs now, the folder was named "dwyhj." The only way i can think of someone being able to create files (even if they are blank ones) is by sharing permissions (but i'm no expert in this).

Share this post


Link to post
Share on other sites

@ OpaQue: It cant be an infection on the server, otherwise everyone would have it in their directory. And I have tried using the Virus Scanner thing from cPanel and nothing was found.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.