Nice friendly hackers have been at the Friends of Baildon Moor site again. The site was not working and was defaced but I found a few interesting things around. The footer PHP file had been modified with some interesting code that looked as though it was doing something with usernames and passwords and had a stack of encoded text. A couple of directories also had some cgi script in them and .htaccess files that looked as though they would run the script.
The most interesting directory was in the theme directory and contained just short of 43000 text files with names that seemed to be <user> followed by one of -host -cpanel -joomla -wordpress -oscommerce -zencart -billing -phpBB -SMF -vb3.
The files were only created in the morning but I am unable to get rid of them. According to my FTP client the permission on them all is 777 which I thought was prevented by the host system. I was unable to delete them and I was unable to change permissions on them nor could I open them. My HTML editor that uses FTP to connect to sites did not even show the files and the web based file manager within the hosting just gave me a twirly busy icon.
I raised a ticket on my hosting company and also phoned them. They sounded grateful and said that someone would investigate as soon as possible. The files are still there an hour later!
If nothing else this helps while away the evenings but I can think of better things to do – I am falling behind on reviewing my photos, I am taking them quicker than I can delete them.
Update: My hosting company removed the files at 6:00 the following morning and did not seem overly concerned that I had almost 43000 files that seemed to have the user name for every account on the sever. I tried a random sample of the names in my browser <IP Address>/~account name and every one came back with a website or “Account suspended”.
Leave a Reply