Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mysterious files appeared on my webserver


  • Please log in to reply
1 reply to this topic

#1 DiMono

DiMono

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 21 November 2016 - 04:01 PM

While searching on my Hostwinds webserver for a specific file, I noticed some files in a website root directory that I did not put there. Those files are:

 

27243AD4E44FB1E2CDCEECED32926EA5.txt with contents:

 

6fa5d212f5ee6346f98ceae1a0425c1bcfa9780b
comodoca.com

 

 

D60ED30DA1AF9F372DEA37DB0BA959CD.txt with contents:

 

a644cf27e6b37c51520ad2e5f051df26de39a837
comodoca.com

 

 

Some google-fu revealed that comodoca.com redirects to comodo's website, which I know is legitimate, but the presence of the files when I did not create them is suspicious. Further, the website whose root they are in is an add-on domain not contained within the public_html directory, and it is very strange to me that someone would break into the server (on two occasions almost 24 hours apart) and put two text files in such a basically trivial location. Has anyone had any experiences with something similar in the past? I'm more confused than anything else.



BC AdBot (Login to Remove)

 


#2 12throw8outthewindow

12throw8outthewindow

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 November 2016 - 11:26 AM

Thanks for posting about this DiMono. I would also like to know about it. I have found similar files cropping up in the root directory of several of my WordPress installations, one per day from 11/12/16 to 11/20/16. They have appeared in my top level domain, and one add-on domain. However, they do not appear in my other two add-on domains. One of the add-on domains without files in the root directory has 2 no-index subdomains, and they don't appear in one, but there are files for 11/12 and 11/13 only in the other. I downloaded a couple of the files from one installation, and then deleted them, which had no visible effect on the site.

 

The Wordfence security plugin (which includes a firewall that blocks malicious uploads) is active in all of these installations. Since they are txt files, I don't know that they are doing any harm, but since I didn't put them there, nor have I installed any new plugin or theme to all of the affected installations during that time period that might have included them, I am quite concerned about how they got there.


Edited by 12throw8outthewindow, 22 November 2016 - 11:27 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users