Hacked malwar, files appears in web folders

[romain33]

Hi and thanks for your help

I have an ispconfig panel (2.2.18) on a debian each server

Sometimes (all 2 or 3 months), web files appear in some web directories. Usually 3 files by web directory.

for exemple :
/error/z/static.php
/error/z/sync.php
/error/z/backup.php

this files can appears in any other directory of the website directory. For exemple :
for exemple :
/pics/static.php
/pics/sync.php
/pics/backup.php


this files have apache like owner.(www-data)
As you can see in the log below, very special websites try to connect on theses scripts....
[08/Oct/2009:00:05:00 +0200] "GET /error/z/static.php HTTP/1.1" 404 - "http://www.sexytravesti.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
[08/Oct/2009:00:10:25 +0200] "POST /error/z/sync.php HTTP/1.0" 200 23 "-" "-"

When one of my website is infected by this kind of files google say me than the concerned website is a virus and malware source. Everythings become ok when i delete this files...

Would you know where this files come from? Why do they appear occasionally on my web server? What is the source?

Thanks for reading me and sorry for my bad english..

[till]

Most likely you have a vulnerable script or cms system installed in these websites. Please update the cms systems that you have installed in these websites incl. all their plugins. A common reason is e.g. a outdated joomla install.