Jump to content

File On Server Named " Somecustominjectedheaderinjectedbywvs"

rogerdodger

By rogerdodger
in Apache HTTP Server

 Share

Recommended Posts

rogerdodger Newbie

rogerdodger

Posted
Posted

i just discovered a file on my server that was created by my script from what appears to be a penetration test.

 

now i have a file named " somecustominjectedheaderinjectedbywvs" but I cannot see or delete it on my apache server (through ssh).

 

i discovered from a php script that was reading a directory. it printed out this file name as a result of this loop:

 

foreach("/mydir/" as $file){

 

throush ssh i cannot remove the file because it doesn't exist.

 

also PHP cannot open the file becuase it doesn't exist although it shows up in my scandir() result.

 

Can someone please help me to get rid of it as it shouldn't be there? i also found another file that looks like it was named after a bash command that I cannot also remove.

 

Please help

ManiacDan Regular Member

ManiacDan

Posted
Posted 

foreach("/mydir/" as $file){

That's not your code, that would throw an error.

 

You're saying the filesystem doesn't see it, but PHP does?

 

If your server is compromised, you need to shut down its access to the internet right now and fix it. It could be involved in any number of things, including the DDoS that took down six major banks this week. Shut it down.

 

Once it's shut down, remove any files that shouldn't be there or simply wipe the hard drive and restore from a backup.

 

rogerdodger Newbie

rogerdodger

Posted
  • Author
Posted

thanks. i was able to get rid of them with unlink()

 

also, strange that scandir() was able to see 3 files with the same name and readdir() did not see these files at all. also could not remove them with bash command rm

 

also, i don't think my server was compromised since the attacker was assuming the POST was being used in a db.

 

is there a better way of cleaning POST requests?

ManiacDan Regular Member

ManiacDan

Posted
Posted

You had files on your filesystem named after a common hacking tool, your server was compromised.

 

What was the actual problem? There's hundreds of ways to cleanse $_POST, it depends on what the data is.

DavidAM Member

DavidAM

Posted
Posted
file named " somecustominjectedheaderinjectedbywvs"

 

I assume you cut and pasted that filename. I notice a space inside the double-quote, before the "s". It is possible the first "character" of the name was an ANSI escape sequence designed to change the font color or otherwise hide the name from the command line. Since the browser does not interpret ANSI escape sequences, you could see it from the PHP script and that sequence rendered as a space.

 

rm *injectedbywvs

should have removed it/them (assuming you don't have any other files you want to keep that end with that string).

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.