PHP files sudden disappearance from my hosting service

Guys,

I have a hosting problem that I cannot handle myself. I do have a hosting provider and a lot of hosting accounts and client websites on them. The problem is that some files are deleted by an automated process every night at 4:20 AM (I uploaded them back every day).

As I somehow expected, the tech support guy said: “It is not our server, check your scripts and files!”
Here is what I did: I recreated the files deleted by server, with notepad, with nothing inside them. Example: file_a.php, file_asd.php, etc. They looked like originals but with 0 bytes; then I moved them all in a single folder, on some unused web domain I own. I have also changed folder and files permissions to 444 (owner edit/write denied)...
Guess what? At 4:20 AM that folder was emptied of empty files!

Suggestions?

 

I'm a great beleiver in people helping themselves first - and you seem to have done that - so it's time your host stepped up to the mark.

Their suggestion that there is a script doing this might be correct, but surely they can help you out by finding it for you? Is it a script on the server that is being invoked every day, maybe it's being done via FTP, is it their backup software that could be doing it? Is someone accessing the site remotely and doing it.

Your host needs to start helping you now. They need to check server and FTP logs and see if they can find a reason WHY this is happening or how it is happening. I think you've done what you can, and it is no longer acceptable for your host to say "it's not our server" and leave it at that. Only they have access to certain logs and functions on the server so it's only them that can help.

The only other thing you might want to do it check your web site logs at around the time the files are deleted. Are there any files being accessed at that time that could contain a script you know/don't know about - check the contents of the files being accessed. If you do that then your host can't complain about you not trying to help yourself first. Hope you get it sorted.

 

The thing is that i did populate a new account and web domain with empty files (using original names of deleted files from various other accounts and domains) made with notepad (0 bytes). there is no way other scripts to communicate with them.

They were deleted all at 4:20 am. I think the server is sensible at some file names, considering them threats due past security issues of files with same name. Commonly CMS or Framework files. I have to admit that almost all deleted files are from different CMS applications. I have googled a bit and I found that most of these files have been found guilty of security breaches in the past but fixed immediately.

I cannot see any reason to military a server against fixed files from CMS like Joomla, Drupal, Wordpress. Because these CMS's are constantly updated...

 

What cron jobs do you have running on your account?

Also I do know of security scripts that remove certain files if they are determined to be threats/viruses/exploits. Can you give more detail on what folder and these files are for?

 

It is more than likely the server doing an automated scan for malware and the files have a signature it recognizes as malware and they are therefore being removed.

It's possible the files have code in them you are unware of, such as base64, etc.

You'll need to take a close look at the files themselves or have an experienced developer take a look because it doesn't sound like your host is much help.

 

I have recreated the files with notepad and left them empty:

example:
components/com_rsmonials/rsmonials.php (0 bytes)

this on other domain and account. I only kept the folder structure with an empty file. It is impossible to be deleted through an "unlink" function or other scripts as long as there are no scripts of any kind on that domain.

further explanation: this component was considered Search Engine Dork in version 1.5.1 but fixed after that version. So, it was considered a threat but not anymore. Why do they keep deleting this type of files?? a lot of frameworks and CMS got through security flows from time to time but fixing their mistakes.

 

If it's still being deleted by filename alone, it is obviously still seen as a threat by the system.

 

Yes it is deleted by path and file name even if i create an empty file on a random web domain. If I put that file elsewhere it will remain untouched.

I have discovered at least 100 such files deleted in the past 12 months. What do I say to my clients?: "You have installed the latest version of Wordpress! And one file is considered a threat. Switch to something else because the server will delete it even if the glitch is fixed!".

I do not have Cron Jobs running on my account. Do I have to verify anything else using Cpanel? 10x.

 

Honestly, this is all something you need to deal directly with your host about. They are the only ones that can do anything for you.

If they are unwilling to help you, then it may be time to move on.

 

I have not too much knowledge about Hosting problems,but its really seems like problem of some unknown script running on web server or it perhaps due to conflicted with you web site's script which make host server's script allowing to delete file a that time only.what kind of website you are running in that web hosting server?

 

Ya well said !!!I just want to known about the sites technology and about the servers technology too?

 

I spoke with tech guys from my hosting provider after I directed them to the cause of the problem. And the conclusion is clear: server is deleting files considered malware by path or name even if the files are empty.

they have an antivirus or something with a data base of threats definitions. If you unluckily named a file file_abc.php and that file name exists in the file blacklist of the antivirus, on backup the file will be removed and quarantined.

sad...

 

Well, you can actually request them to whitelist your path. Just shoot them a ticket and ask them to whitelist /home/[YourUsername].

That would do.