Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 2 of 2
  1. #1
    Junior Member
    Join Date
    Nov 2011
    Posts
    1
    Member #
    30021
    I've just taken over managing the website www.cgm.org.au. (Please - no comments about design! I'm not responsible!) It was originally set up using Frontpage but I've got plans to move the whole thing over to Joomla. I was going thru the files seeing what was what using cpanel. When I viewed the log of recent visitors I noticed a lot of urls for pages that shouldn't have been there! All URLS were from the /public_html/dzkapxdirectory and were URLs linked to pages like this -> http://cgm.org.au/dzkapx/pzav.php?qhmn=picture-of-georgia-state-flower&quot or URLs that led to non-existent pages that ended in 404 errors like this -> http://cgm.org.au/dzkapx/images/CGM%20Header.jpg

    A check of the site's files revealed the dzkapx folder (altho no /image subdirectory was there, hence the 404 errors accessing those links). I've gone back thru site backups and found this folder has been there for quite a while. It contains the following files:
    [SIZE=11px]evekwalicu.txt (17.93MB)[/SIZE]
    [SIZE=11px]index.php (1.87kb)[/SIZE]
    [SIZE=11px]kw.txt (5.17kb - NB: kw are the initials of the site owner)[/SIZE]
    [SIZE=11px]pzav.php (26.99kb)[/SIZE]
    [SIZE=11px]tmp (0bytes - file type text/x-generic)[/SIZE]
    [SIZE=11px]
    [/SIZE]

    All files are dated 10/5/2010 except for evekwalicu.txt which was accessed today, so whatever this is it's still active. I've uploaded an edited version of this file - the original was too large to upload and it's pretty much all the same stuff anyway, but it gives an idea of the sites being accessed.

    The dzkapx folder also contains the subdirectory /cache which contains numerous text files with random alphnumeric titles, all 32 characters in length, file type text/x-generic and all 27kb in size. I've uploaded the latest of these files to give an idea of content (I added the file's .txt extension).

    I've also noticed in the Latest Visitors log that there are various instances of files called /favicon.ico, /robots, /robots., /robots.t, /robots.tx, /robots.txt, /robot, /r none of which are visible in the site's files. One or more of these files always seems to be accessed around the same time as the dzakpx URLs. I've

    I've checked out just about everything online and can't find anything that appears to be triggering this dzkapxthing. Every page and link behaves normally. I downloaded and virus-checked the site but that came up clean and my virus checker doesn't pick up any activity when I'm accessing the site and I've got it set at the highest levels.

    A lot of the webpages being accessed are pornographic and this site is a Christian site! Although it doesn't appear that anything is being shown via pop-ups or anything else, and the site seems to work without any problems, I would really like to get to the bottom of it and get rid of it. I'm a little reluctant to just remove the files in case there's something elsewhere set up to crash the site!

    Any help or advice would be greatly appreciated.

  2.  

  3. #2
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    A virus checker won't pick up that kind of a thing because it's not a virus as such. A virus is (generally speaking) a program that is executed that does some sort of damage.

    This would come under the definition of a server hack. There's an open folder or directory somewhere and your server got hacked.

    First things first...tell your host. Leave the folder as is on the server for now...it's normally dangerous, but your host will have to see the folder and see the contents of it. From there, your host will in all likelihood update your server with the latest security fixes/patches and change all of your passwords.

    If the host doesn't do this, you should. It may be that you're using a simple password like "dog" or "cat" somewhere that a hacker could guess at. Change every single one of them.

    Mind you, this looks like the symptom of a deeper problem. I've never heard of the host you're using (mostly because I'm not AussieAussieAussie...you guys rock, though). But any host that promises unlimited data transfer usually scares me simply because there's no such animal (all data transfer is capped by time x bandwidth). If you're going to move to Joomla, it may be more expensive for you to do that based on their plans (since Joomla requires PHP, which isn't on their "cheap" plan).

    I'd be looking at relocating the hosting if I were you. Mind you, I'd wait to see how they handle this. Even the best hosts have servers that get hacked from time to time. It's how they respond to it that is a test of their mettle.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 11:01 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com