Paul-AC
asked on
663.php file
For some reasons I have a 663.php and n2.html files in the root of my FTP folders.
Can someone please tell me what they're and where they may be coming from?
Thanks in advance.
Can someone please tell me what they're and where they may be coming from?
Thanks in advance.
Never heard of them. If they're not yours, I'd get rid of them. You could download them and look the source to see what they're doing.
ASKER
Interesting....
I can delete them but want to find out how they get there. My user did not upload them. it will be nice to know how they get there (may browsers created them when the user uploaded the other files ?????).
If anyone knows, please give your input.
Thanks
I can delete them but want to find out how they get there. My user did not upload them. it will be nice to know how they get there (may browsers created them when the user uploaded the other files ?????).
If anyone knows, please give your input.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'd also scan your computer for signs of a virus.
And can you zip the contents of that html file and post it here for people to look at. Curious to see what is in it.
And can you zip the contents of that html file and post it here for people to look at. Curious to see what is in it.
ASKER
I'm not sure if I want to do that, it may contain the username and pw in the file???
The server is mine (no hosting company), for sure there's no virus on my computer and others.
The server is mine (no hosting company), for sure there's no virus on my computer and others.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If it's your server, you Need to look at the contents and date of that file to see what's going on.
I just logged into my server of my hosting company and just noticed the same file : 663.php.
It's in all the folders.
This could be a big problem.
About 2 years ago, I had a similar problem with a .php file while hosting on Discountasp.net.
Here is the why it's a big problem:
Any search in Google for my store,. . . there was a warning next to the link,
something like :
"warning : this website could harm your computer" . . or something like that.
So yes, this needs to be looked at. People are not going to click that link.
I'm going to contact my hosting company now.
It's in all the folders.
This could be a big problem.
About 2 years ago, I had a similar problem with a .php file while hosting on Discountasp.net.
Here is the why it's a big problem:
Any search in Google for my store,. . . there was a warning next to the link,
something like :
"warning : this website could harm your computer" . . or something like that.
So yes, this needs to be looked at. People are not going to click that link.
I'm going to contact my hosting company now.
I just opened the file in NotePad.
This is all it contained :
47Y11VdSa1w8i6o75OfRc83Go6 T768 0 <?php print md5(10);?>
This is all it contained :
47Y11VdSa1w8i6o75OfRc83Go6
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys,
I'll change the pws and tell users to update their browsers.
I'll change the pws and tell users to update their browsers.
People/Readers,
As an addendum, you should have someone perform a vulnerability assessment against the FTP server. Have this performed by someone who knows what they're doing.
Why? Because you could resolve the cause of the problem on the affected server, but meanwhile the rest of your network might be compromised by means of the attacker "pivoting" through the affected server:
Change every password for every account on the affected server.
Ensure that *every* program installed is patched up to date
Use a site like SecurityFocus (others are available) which list known vulnerabilities for many, many software types - search for each piece of software you have, in turn, and confirm that there are no known vulns
And yes, this happened to one of my servers today, so I'm keenly looking into it; looks like Remote File Inclusion by means of remote exploit to me - exploit as yet unknown but MS just released a bundle of critical patches, for example...
Hapexamendios, C|EH
Certified Ethical Hacker
As an addendum, you should have someone perform a vulnerability assessment against the FTP server. Have this performed by someone who knows what they're doing.
Why? Because you could resolve the cause of the problem on the affected server, but meanwhile the rest of your network might be compromised by means of the attacker "pivoting" through the affected server:
Change every password for every account on the affected server.
Ensure that *every* program installed is patched up to date
Use a site like SecurityFocus (others are available) which list known vulnerabilities for many, many software types - search for each piece of software you have, in turn, and confirm that there are no known vulns
And yes, this happened to one of my servers today, so I'm keenly looking into it; looks like Remote File Inclusion by means of remote exploit to me - exploit as yet unknown but MS just released a bundle of critical patches, for example...
Hapexamendios, C|EH
Certified Ethical Hacker
Paul-AC - I had the same issue twice so far once on the 16th and again on the 22nd. Would you provider happen to be Network Solutions?