Weird file

[Stecyk]

Hi,

In my logs_web, I found a file "z" from 25 Nov 07. Most visible files in this directory are from December, not November.

It contains only four lines, and each part of that line contains:

Quote:

"<SCRIPT>window.location='http://www.syncrisis.com'</script>

I've seen other sites infected with this syncrisis.com. I am not sure what it is, but I have a sneaking suspicion that it doesn't belong. I tried to delete it, but apparently I lack permission.

If someone from FQ can blast that file or tell me how to do it, I'd be appreciative.

Best regards,
Kevin

[kitchin]

Probably when you were doing your "tar -xzf" command, you accidentally put a spaces around the "z", something like that. You can try deleting just like any other file, in FTP, in the CNC file manager, or with

rm -i z

at the command line (remove, interactive).

[Stecyk]

Quote:

Originally Posted by kitchin

Probably when you were doing your "tar -xzf" command, you accidentally put a spaces around the "z", something like that. You can try deleting just like any other file, in FTP, in the CNC file manager, or with

rm -i z

at the command line (remove, interactive).

Hi kitchin,

My tar/zip stuff was, I hope, confined to cgi-bin and www, and that was within the last few days. This file was deposited, I think, a month ago.

I tried using my ftp software [FTP Voyager] and no luck.

I used the CNC file manager to navigate the directory and then attempted to delete the file:

Quote:

Oops - an error has occurred:

You must have Write permission on a directory in order to modify files within that directory. You do not have write permission on:

/big/dom/xmydomain/logs_web

You will not be able to modify any files in this directory.

So I think it requires something else?

Best regards,
Kevin

[kitchin]

Ignore my previous post. According to this:
http://www.danifer.com/blog/referrer-log-hijack.html
it's referrer log spam. They try to put that javascript in your HTML logs by pretending that is the name of their browser, instead of "Mozilla" or "IE". They use that tag in the name maliciously to get the location of your logs and see if they are password protected, it seems.

There was a thread on these forums a while back about whether FQ was filtering this stuff, but I don't remember the exact outcome of it.

[Stecyk]

Quote:

Originally Posted by kitchin

Ignore my previous post. According to this:
http://www.danifer.com/blog/referrer-log-hijack.html
it's referrer log spam. They try to put that javascript in your HTML logs by pretending that is the name of their browser, instead of "Mozilla" or "IE". They use that tag in the name maliciously to get the location of your logs and see if they are password protected, it seems.

There was a thread on these forums a while back about whether FQ was filtering this stuff, but I don't remember the exact outcome of it.

Yeah, I recognized the url. I came across two sites that redirected their users to this url. I don't understand this stuff, but I get the impression that it somehow deposited a gift in my folder.

[Kevin]

Kevin,
That file appears to be the results of a zgrep of all your log files. Probably one of us (probably Terra) looking for instances of someone trying to hack your site. You may have even gotten the contents of that file in an email from us if we thought it was serious at the time. You can't delete it because you can't create or delete files from the logs directory and because the file is owned by root.

I have deleted it for you.

[Stecyk]

Thank you Kevin!