possible malicious files?

jfall123

• December 19, 2016 08:18

I've seen my fair share of hacks/insertions in the past but I came across this on a dedicated clients server today, they brought it to my attention. Server runs latest centos + latest cPanel. Typical csf/modsec config etc. They have one cpanel user account with multiple addon domains, mostly wordpress installs. In almost every domain directory there are several randomly generated text files that look like this: -rw-r--r-- 1 53 Dec 18 00:17 028366AC0F38DD0FC723179739077490.txt -rw-r--r-- 1 53 Dec 14 00:16 34C7BBEF43BB878CB390CB09CD2A1F94.txt -rw-r--r-- 1 53 Dec 5 08:54 7FCA994C7A69B3F4E00533C9C1EBDFCB.txt -rw-r--r-- 1 53 Dec 13 00:17 9DA998A22F142A977FA11C5871E61674.txt -rw-r--r-- 1 53 Dec 8 00:17 A497C30A122C651D3E26F9C179F88B03.txt -rw-r--r-- 1 53 Dec 9 00:18 AC4AE8BF3E940C7D76EEA405A212595D.txt -rw-r--r-- 1 53 Dec 17 00:17 E6E364E137F4D4341D7777E62E404468.txt The text files contain one line of random data in them. For example the first file "028366AC0F38DD0FC723179739077490.txt" contains: "ac601d4f6a70a6e8281210b9e65852889519dfbc" So far I'm not seeing any hits to these files in apache domlogs and I have not yet confirmed how they got there (I don't see anything in ftp logs yet or any other signs of unauthorized access). Has anyone come across odd files like this before or can think possibly what they may relate to? The client certainly does not know where they came from either.

• 

  Infopro

  • December 19, 2016 13:20

  This thread should be useful: In Progress - AutoSSL Validation Text File

  0
• 

  jfall123

  • December 19, 2016 13:24

  Duh that's totally what it is, autoSSL completely slipped my mind. I hadn't enabled it on their server but it must have gotten turned on by a recent update.

  0

Please sign in to leave a comment.