Install File in root how did they get there ?

Started by SaltedWeb, January 05, 2018, 12:12:15 PM

Previous topic - Next topic

SaltedWeb

I woke up this morning and went to check my cpanel and files to do something with the site.
I found install files for SMF and create Mysql a data base files in my Root, they where not there and have not been
there. They were not activated luckily and appears to have occurred when I was asleep around 11pm.
I could not find any IP address of concern of course thats never 100%. I am trying to figure what happened.
I am putting this in support because I am not sire if something glitched in SMF no idea how that could do what happened
but had to ask. The site is a work in progress and not fully active so no members other then testing one.
The password to the root is extensive and I can not see any signs of tampering. And no one but me has the passwords.

No idea hopefully someone has an idea?
Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Aleksi "Lex" Kilpinen

Your server should have both access log and error log, if you have an approximate timeline, you should be able to find something in those.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Sir Osis of Liver

Only way I can think of is if host restored a backup that contained the install scripts.  Did you use a host installer to set up the forum?
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

Quote from: Aleksi "Lex" Kilpinen on January 05, 2018, 12:17:02 PM
Your server should have both access log and error log, if you have an approximate timeline, you should be able to find something in those.

or you host may have more detailed logs that you may not have access to.

SaltedWeb

Quote from: Aleksi "Lex" Kilpinen on January 05, 2018, 12:17:02 PM
Your server should have both access log and error log, if you have an approximate timeline, you should be able to find something in those.
Part of the problem is bots etc, logs are not detailed enough to see any actions just visits to the site, and why it does show typical bot activity tracking some of the IP addresses gave readings from all over with minimal details to see a cause.
I however did block a few I wouldnt want anyways hitting my site from other countries, but that still at this point doesn't tell me how it got there when I looked at them. :-(

Quote from: Sir Osis of Liver on January 05, 2018, 12:19:35 PM
Only way I can think of is if host restored a backup that contained the install scripts.  Did you use a host installer to set up the forum?
The site was not effected in operating the files where just there and dated yesterday, I had done a host installer with them before as theres
does it without a glitch. I use Host For Web and why I know its a lazy way I have been working on trouble shooting some mods so was doing quick installs and removals to check them, on this last install yes I did use it after I tested and was ready to put the site in operation.  That may be a possibility a restore like that but was very odd if I look at the SMF package many files where in there that a root install would have which was a concern.  Some of those files I think activated even with out the user and pass could have caused havoc. I checked the logs and there is no sign of any restore all files are dated from when I did the install in the morning yesterday.
Quote from: Illori on January 05, 2018, 12:24:10 PM


Quote from: Aleksi "Lex" Kilpinen on January 05, 2018, 12:17:02 PM
Your server should have both access log and error log, if you have an approximate timeline, you should be able to find something in those.
or you host may have more detailed logs that you may not have access to.
I have contacted them to ask they did did a full site upgrade a couple weeks agao and I am not sure it went well for some as they seem heavily delayed in ticket response and their live help is off line the last two weeks with no explanation.
So I came here and thought id see if there was something I was missing in SMF to look for.

Edit: Solved, I looked and found two other MYsql databases from a SMF/port software I was looking at a few days ago.
I removed them and checked the current SMF Mysql and it shows This MySQL server has been running for 0 days, 9 hours, 26 minutes and 31 seconds. It started up on Jan 05, 2018 at 03:32 AM. Within the suspected time line they must have they must have restored it and I never got a notice.  Oddly though my site is intact to the way I left when I went to sleep exactly. And those two databases were older from over Monday.
I think I can rest though as looks like my site was not maliciously changed, the host must have restored it either that or the other databases were not removed like I thought as I never checked and then they were restored ? 

Anyways I will mark solved as it seems plausible it was my host doing something appreciate all of your thoughts and idea you gave.

SW :-)


Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Advertisement: