Removing Gdocs (Google) safe? recommended?

Started by airdave, April 10, 2019, 09:56:20 AM

Previous topic - Next topic

airdave

Forgive my ineptitude in advance....
I run a small smf board, hosted through some donated space.
papermodelforum.com
I have my own private access to a C-panel and I alone maintain the site.

I've tried to find a better explanation of what gdocs is....google docs I assume...and why I have them (like a virus!).
I've asked on the C-panel forum for help, but none was given.
Maybe this is an smf thing?

A couple of years back I discovered gdoc files in my file manager.
This past week, I had to deal with a malware/phishing file that was discovered in my database.
It was easily removed...

but I noticed the amount of gdoc files and folders has grown considerably.
The screengrabs below illustrate.

These folders contains hundreds, if not thousands of php files.
And they take up a lot of space (even if they are not a threat), and space is limited.

How did these folders and files appear? why did they appear? can I just manually delete them?
Or, how should I deal with them?
Are they are threat, and do they have anything to do with the malware I recently found?

...
Another thing to note...the first set of Gdoc files (in the File directory under Home) is mostly from 2014 (last modified).
There are a few 2017 and 2018 files, but mainly 2014.
I'm guessing this is when things first appeared?

Then, the other two folders (in public html) are hundreds of folders with the php files, and most are from one week in March of 2018.
March 16-23 to be exact.
And nothing newer (since then).


Aleksi "Lex" Kilpinen

No, not an SMF thing - but sadly I don't have a good answer to give further than that. Certainly I would not expect to see such on my own server, and you might want to ask your host about them.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

airdave

Its funny...I first posted this query over at the C-Panel forums.

I finally got someone interested in talking to me about it, but help has been limited.
Nobody seems to be able to explain any of this.

This is obviously a google related thing...I've read some info about google documents and cloud backups and cloud server storage.
But nobody seems to be able to clearly explain a gdoc! lol

The hosting management Gator is no help.
They originally suspended the site because of a phishing/malware report.
I was directed to a specific malware file, that I removed.

The actual owner of the hosting account reported the cleanup, asked for the "security review" and got the site approved/un-suspended.
But when asking about the malware and these gdocs, he was informed that for a fee ($37) they would "investigate the malware attack". Thats it.

So, I haven't gotten any help from them either (with regards to the gdocs)

Anyway, I have resorted to changing the names of all the gdoc related directories (three of them to be exact).
And now I am watching for what isn't working, or is affected on the forum.
If all looks okay, I will just manually delete those folders and files.

I have added a couple of mods to the forum over the years.
I wonder if one of them, added the gdoc thing?

Specifically "Stop Forum Spam", "Image Upload" and (not really a package mod, more of an integration) "PostImage"


Aleksi "Lex" Kilpinen

Quote from: airdave on April 10, 2019, 11:13:16 AM
I have added a couple of mods to the forum over the years.
I wonder if one of them, added the gdoc thing?

Specifically "Stop Forum Spam", "Image Upload" and (not really a package mod, more of an integration) "PostImage"
No, I am fairly sure that would not be a mod package ( at least not one that would be available on simplemachines.org ).
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Sir Osis of Liver

Are you on Hostgator?  Just worked on a HG forum recently, strange things are happening there.  Moved them to a different host, that's what you should do.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

airdave

its funny you should say that...I have my own hosting account through fxdomains.
I have been thinking about moving my forum to my own account.
Its only because I am clueless and scared on how this is done, that I haven't.

LOL it took me three years to gather up the courage to security update my forum.

can you expand on "strange things are happening there"?

Aleksi "Lex" Kilpinen

It does look like it could be a cpanel app for google docs that is working it's magic on your files, but if that was the case you would have (normally, I think - not a cpanel user myself) actually had to install the app, and use it, to see stuff like that happening.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Sir Osis of Liver

There shouldn't be anything in /public_html you didn't put there other than a few system files.  Worked on a couple of Hostgator forums, not a very good host, crappy cpanel setup, poor support, but the most recent one was a mess.  Forum was down, everything was screwed up.   HG support blamed it on css. :P  At one point entire /Sources directory disappeared while I was working on forum.  Was able to import database to my server, ran fine in 1.1.21, upgraded normally to 2.0.15, moved it back to clean install on HG, would not run.  Convinced forum owner to move to my host (Crocweb), he's back in business.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

GigaWatt

Quote from: Aleksi "Lex" Kilpinen on April 10, 2019, 01:47:55 PM
It does look like it could be a cpanel app for google docs that is working it's magic on your files, but if that was the case you would have (normally, I think - not a cpanel user myself) actually had to install the app, and use it, to see stuff like that happening.

It could be done through WHM, but, I'm presuming the OP doesn't have WHM access, so, he can't actually see what's installed on the server. Even if an app is installed, it may not have settings or not be visible as an app in cPanel (you can set most of these options as a per user setting in WHM).

Except for "cgi-bin", there shouldn't be any other directory in "public_html".

You could move your forum to another directory (create a new directory in your user's root directory, that's how I like to set up things, since I know that the most common case scenario is to put everything "public_html"), make that one publicly visible and link it with your domain, see if the "gdoc" directory gets created in there. If it does get created, yes, something is installed on the server that is sniffing activity on your (probably everyone on that server) account. Move your forum/site to another host.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

airdave

Thanks guys.

I renamed the three gdoc related directories and left it overnight.
Between myself and my admin, we scoured the forum looking for anything that didn't work or was missing...and found nothing.
All looks good today.

So, I deleted all the gdoc related files and folders. (yes, I downloaded a zipped backup first)

To be honest, I didn't want to have to move the forum because I don't know how.
And, its a very quiet forum...not a big loss if it disappears.
I also didn't want to introduce any threats to my own web hosting since we've had issues with spammers and other attacks.

I think it may be prudent to wait a few months and make sure there are no further attacks or any new file appearances.
And then I will look into how to move the forum.

Thats my other problem...understanding how to make the move without f***king something up. I'm really good at that.

GigaWatt

Actually, moving the forum is not that difficult. In most cases, all you'll need are the forum's files, the database and repair_settings.php ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Aleksi "Lex" Kilpinen

How do I move my SMF forum to a different host?

Basically it is just doing a thorough backup, and then restoring it in another location. :)
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

airdave

lol this is exactly the problem.

reading that article of 10 Steps might be (to you) as clear as reading the instructions on how to flush the toilet on an airplane.

But to me, its as if I was on a Japanese flight, and the instructions were written only in Japanese...and I am drunk.

GigaWatt

Don't worry, you'll get the hang of it ;). As you tinker more and more with the software, you'll see that it actually isn't that difficult ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Advertisement: