Hacked malwar, files appears in web folders

Discussion in 'General' started by romain33, Oct 8, 2009.

  1. romain33

    romain33 New Member

    Hi and thanks for your help

    I have an ispconfig panel (2.2.18) on a debian each server

    Sometimes (all 2 or 3 months), web files appear in some web directories. Usually 3 files by web directory.

    for exemple :
    /error/z/static.php
    /error/z/sync.php
    /error/z/backup.php

    this files can appears in any other directory of the website directory. For exemple :
    for exemple :
    /pics/static.php
    /pics/sync.php
    /pics/backup.php


    this files have apache like owner.(www-data)
    As you can see in the log below, very special websites try to connect on theses scripts....
    [08/Oct/2009:00:05:00 +0200] "GET /error/z/static.php HTTP/1.1" 404 - "http://www.sexytravesti.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
    [08/Oct/2009:00:10:25 +0200] "POST /error/z/sync.php HTTP/1.0" 200 23 "-" "-"

    When one of my website is infected by this kind of files google say me than the concerned website is a virus and malware source. Everythings become ok when i delete this files...

    Would you know where this files come from? Why do they appear occasionally on my web server? What is the source?

    Thanks for reading me and sorry for my bad english..
     
  2. till

    till Super Moderator

    Most likely you have a vulnerable script or cms system installed in these websites. Please update the cms systems that you have installed in these websites incl. all their plugins. A common reason is e.g. a outdated joomla install.
     

Share This Page