9 replies to this topic

[shadowx]

Updating my site and looking through the logs my eye caught a visit to a page called "klux.php" i viewed the file which was in a subfolder under "iqici" and as i suspected it was full of references to the KKK.

Needless to say this isnt something i want on my website.

So i looked at the folder and saw a few strange files as well as the folder where the klux.php file is, looking in there its just a huge alphabetical list of .php pages with usually innocuous names.

What the hell is this?

The logs state that various bots have crawled the pages but i really want to know how they got there and who from.

My password is secure and the only machine i have it saved on is a linux laptop that sits behind a NAT enabled router with 3 other windows boxes all of which are clean of malware (as far as i know)

I have logged in at work however we have Sophos AV and a router based firewall and i am a network admin so i know it isnt being sniffed by anyone else deliberately (its a school, these kids dont have the knowledge to sniff an entire network) so how did it get there?

I hope some other hosted members can check their own accounts for folders in the web root (the WWW folder or public_html) for the folder iqici and let me know if it is there.

If this is a folder put in by xisto i will be very, very annoyed.

I have placed the folder in my deleted items bin so it is not accessible and i am about to change my password to make sure that is not the cause.

[evilsmiley25]

Wow, that is really weird. I hope it wasn't put there by Xisto. I tried searching for something about it, and no related articles come up. I would make sure someone is nothacking into your website, or you don't have malicious programs on your computer, because if that was accessible to the public, it would have made your website look really bad. It would be tough to explain *that* one.

[Baniboy]

I didn't find any, seems like you got one of those script kiddies on your account. Did you delete the files?

[-Sky-]

Yeah, KK Klan as they like to call themselves. They are nothing but script kiddies in that group. Don't worry. Make sure you put in advanced security onto any admin/index.php file you have mate. If you'd like me to code a script that allows only you to get in, PM me.

[Zagubadu·]

That all sounds pretty creepy. I hate racists a lot. I guess you could say I'm racists against racists. Anyways as Sky said you shouldn't really have any major problems. Its still really weird. Why even take the time to do something like that?

[shadowx]

Interesting....

My scripts are secure, the only php login stuff i have is for my gallery, i use a dynamic: index.php?module=home type system but it doesnt include files straight from the URL, it looks at the variable then uses a switch case statement to assign a second variable which is the name of the file to include, if it doesnt match a known file it will include the default so that is secure.

The gallery isnt made by me but seems to be secure.

My Pc should be clean as it is linux and behind NAT so that shouldnt be the weakness and my password was a combo of two completely unrelated words (technically one is a name) separated by 2 numbers so that should be strong.

Can any mods shed any light on this?

[OpaQue]

Ohh, this is not good and this is definitely not from xisto. I suggest immediately sending a support ticket to xisto from xistosupport.com.

Please give the following details :-

1. Cpanel username and password
2. Domain Name

We will check the server for any possibility of infection.

Thanks,

Shree

[Soviet Rathe]

wow... my guess is that you had a vulnerability and someone took advantage of it
OR someone somehow got your password when you used the school computer. sure their kids but some are smart!

Quote

The logs state that various bots have crawled the pages but i really want to know how they got there and who from.

what do you mean? search engine bots? those are normal for various search engines to index your pages and are harmless


Basically what you need to do when you have a website is try to hack it yourself, I mean really try to gain access to it without actually using a password, this helps you find vulnerabilities and fix them

[truefusion]

shadowx, on Jan 22 2010, 11:22 AM, said:

Updating my site and looking through the logs my eye caught a visit to a page called "klux.php" i viewed the file which was in a subfolder under "iqici" and as i suspected it was full of references to the KKK.

So i looked at the folder and saw a few strange files as well as the folder where the klux.php file is, looking in there its just a huge alphabetical list of .php pages with usually innocuous names.

Hmm, i think that happened to me too, but i can't remember. I can't remember which folder, so i can't say if it was chmodded to 0777 or not. I passed it off as nothing to worry about, though.

Checking my logs now, the folder was named "dwyhj." The only way i can think of someone being able to create files (even if they are blank ones) is by sharing permissions (but i'm no expert in this).

[-Sky-]

@ OpaQue: It cant be an infection on the server, otherwise everyone would have it in their directory. And I have tried using the Virus Scanner thing from cPanel and nothing was found.