Web Guru help request

Create a Post
Rick Bergeron - CPF

Rick Bergeron - CPF

SGF, Supreme Grumble Framer
Joined
Aug 18, 1999
Posts
2,280
Loc
Canistota, SD USA
Business
Lost Cajun Chateaux
The files below were recently discovered accessible through our domain name. The files are nowhere to be found, visible or hidden, anywhere within our 'space'.

The hosting account is on a shared server with privateIP address and our own SSL certificate.

The host says the files like this are normal just because it is a shared server and that they are associated with someone else's admin account.

I cannot believe that statement and there is no offer for any other explanation. For you guys who are better versed in things like this, is that an accurate statement. Hopefully not, because the mere existance of the directory structure and files is a red flag for security concerns.

TNX
Rick

http://chainweavers.com/~admin
http://chainweavers.com/~admin/images/
http://chainweavers.com/~admin/pdfs/
http://chainweavers.com/~admin/images/_notes/
http://chainweavers.com/~admin/images/thumbs/
 
That would give me the heebee-geebee's too. I'm not a *nix expert, but I thought that the "~name" was a virtual link to a user's account. To me this says that your host admin is running a personal website (I hope) under an admin account, which usually has higher visibility permissions than a normal user account. I've seen this done where the host has some common shared images / scripts that users can access to enhance their site (like counters or branding images), but never a completely different website.

Also, usually letting people to browse the folder contents like that instead of only allowing direct links to files is a no-no. Both these things together speaks of the level of professionalism of your host. Unless of course there was some specific reason they did that.
 
No other comments (yet) from the host. My disk usage report suddenly decreased by 65MB but the folders and files are still accessible.

We're making arrangements to move hosts one day next week before we tell the current host that we have found the fix to the problem and let the other customers find out the hard way.
 
The files and folders that you listed are generally accessed by your web host’s control panel of an FTP site. The control panel and FTP is password protected, so unless you have disabled it, no one can add, delete, or edit the files there.

I suppose a serious hacker could take the time to guess your password, but why bother?

The beginning of you web site,<< http://chainweavers.com/>>, like every site that is displayed at the top of the page, is the portal that people use to access your home/index page. If people click on links on your home page, they are taken to files within the folders, e.g. <<~admin/images/>>. Those files must be “visible” for a web page to work. If they were locked and invisible, your web page would just sit there like a lump.

I wouldn’t worry about it, since only you (hopefully) have the “secret password” to make changes.
 
Hi Bill,

I am the ADMIN for my account and /~admin/ is not mine. /~admin/ is not the host's Master account but it is the account name for another user. The host just says "That's the way things work on a shared hosting server."

It's not likely that anyone will randomly guess the cPanel password to my account. I don't use ftp for file upload, so all ftp is essentially disabled.

You wouldn't believe the stuff that hackers are trying to do on a daily basis. I watch the logs and there are 3-4 attempts on a slow day.

The files that you are seeing at /~admin/ are not mine. They belong to a someone else. They are not accessible via my Control Panel. They do not show up in any directory tree within my cPanel space. But they are visible using the paths. If I could see them, they'd have been deleted several days ago.

It appears that the easiest fix is to move hosts and use this account as my "Sandbox" to test changes until the account expires.
 
Rick Bergeron - CPF said:
Hi Bill,

I am the ADMIN for my account and /~admin/ is not mine. /~admin/ is not the host's Master account but it is the account name for another user. The host just says "That's the way things work on a shared hosting server."

The files that you are seeing at /~admin/ are not mine. They belong to a someone else. They are not accessible via my Control Panel. They do not show up in any directory tree within my cPanel space. But they are visible using the paths. If I could see them, they'd have been deleted several days ago.

It appears that the easiest fix is to move hosts and use this account as my "Sandbox" to test changes until the account expires.
Click to expand...

I get it now. :o

Can you account for all of your files and folders using your control panel? If so, I think you’re okay.

Out of curiosity, have you tried to edit or delete any of those odd files through your control panel?

If you are able to delete some of those ‘mustang’ files using your password, and some of your files and folders don’t show up where they should, then it would seem logical that someone else could fiddle with your files if they are in someone else's folders … if that makes sense.
 
Out of curiosity, how did you find them?
Click to expand...
The folders and files were found by a scanning vendor during a PCI scan of our website IP address. The fact that the files can be seen there, will cause a scan failure until proven to be a "false positive"

Who does your hosting?
Click to expand...
I'll answer that next week after I move everything to a different host AND pass a security scan.

Can you account for all of your files and folders using your control panel?
Click to expand...
I feel confident that I can account for all my files ( as of today, there are 2859 files in 280 folders located in the "public" folder. That number does not include the DB files)

Out of curiosity, have you tried to edit or delete any of those odd files through your control panel?
Click to expand...
Since the files are not in any viewable or hidden folder in MY cpanel, I cannot edit or delete them. Believe me, I wish that I could. :icon10::icon19:
 
All those folders & files just happened to disappear after changing hosts. The original host claimed to be PCI compliant but refused to make changes to correct issues causing PCI compliance scans to fail.

JanetJ1968 Who does your hosting?
Click to expand...
tvcnet.com who is also a McAfee partner. Quarterly scans w/certificate are included with hosting.

Also, all of the issues causing PCI scanning failures disappeared after changing hosts. There is merit to using a host that is partnered with a scanning vendor whose name is also well recognized by the general public.

I passed the scan on the first pass without making any changes on my part.
 
Rick Bergeron - CPF said:
All those folders & files just happened to disappear after changing hosts. The original host claimed to be PCI compliant but refused to make changes to correct issues causing PCI compliance scans to fail.


tvcnet.com who is also a McAfee partner. Quarterly scans w/certificate are included with hosting.

Also, all of the issues causing PCI scanning failures disappeared after changing hosts. There is merit to using a host that is partnered with a scanning vendor whose name is also well recognized by the general public.

I passed the scan on the first pass without making any changes on my part.
Click to expand...

So is tvcnet.com your old host or your new one?

Sounds like you did the right thing, in moving.

If you weren't selling things online, you might've never known they had a security problem at all.
 
tvcnet.com is my new host (sorry, my fingers did not do that line justice in the original post)

If I were not selling things online, the lack of security would not have been a huge area of concern for me. It was a relatively painless experience to switch since the host is a partner with the scanning vendor.
 
Create a Post
Back
Top