Unknown files in home directory

otakudes

Active Member
Jun 19, 2020
26
5
3
USA
cPanel Access Level
Website Owner
I was looking through my html directory and found a file I don't recognize. It appears to be a mail form. None of my forms ask for a phone number. I also notice error logs located in many of my html directories and wonder what they are doing out in the open. Any suggestions?

Code:
0
CgiVar---
name: redirect
state: hidden
active: 0
label:
text:
redirect urlCgiVar---
name: sort
state: hidden
active: 0
label:
text:
CgiVar---
name: return_link_title
state: hidden
active: 1
label:
text:
homepageCgiVar---
name: name
state:
active: 1
label:
text:
CgiVar---
name: title
state: hidden
active: 1
label:
text:
Your Message Has Been SentCgiVar---
name: required
state: hidden
active: 1
label:
text:
email,name,messageCgiVar---
name: print_blank_fields
state: hidden
active: 1
label:
text:
0CgiVar---
name: phone
state:
active: 0
label: Your Phone number?
text:
YourPhoneCgiVar---
name: env_report
state: hidden
active: 1
label:
text:
REMOTE_ADDR,HTTP_USER_AGENTCgiVar---
name: missing_fields_redirect
state: hidden
active: 1
label:
text:
Back to Main PageCgiVar---
name: return_link_url
state: hidden
active: 1
label:
text:
http://www.mycockerspaniel.com/index.htmCgiVar---
name: message
state:
active: 1
label:
text:
CgiVar---
name: subject
state:
active: 1
label:
text:
CgiVar---
name: recipient
state: hidden
active: 0
label:
text:
Send To:CgiVar---
name: email
state:
active: 1
label:
text:
CgiVar---
name: print_config
state: hidden
active: 0
label:
text:
email,subjectCgiVar---
name: realname
state:
active: 0
label:
text:
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,629
363
cPanel Access Level
Root Administrator
As @keat63 was getting at, if you aren't familiar with the website listed on the form, it's possible that cPanel account could be compromised. If so, you should remove the file(s) from the account, change the cPanel password for that user, and ensure that any users with access to the account scan their local systems for virus and malware.
 

otakudes

Active Member
Jun 19, 2020
26
5
3
USA
cPanel Access Level
Website Owner
Yes. My site. File name was

FM_MCSformMail.dat

It sounds like a name I would have come up with. I think this is old formMail file. My site is old and moved many times. I have changed my password . Any ideas about the error log files? I had deleted them but they reappear. Haven’t tried it recently though since moving servers
 

otakudes

Active Member
Jun 19, 2020
26
5
3
USA
cPanel Access Level
Website Owner
That's the file name.

Code:
File: ‘error_log’
  Size: 2098            Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 92292416    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1001/mycocker)   Gid: ( 1003/mycocker)
Context: unconfined_u:object_r:home_root_t:s0
Access: 2020-12-22 23:26:08.473803721 +0000
Modify: 2020-09-09 10:37:03.964076825 +0000
Change: 2020-09-09 10:37:03.964076825 +0000
 Birth: -
The contents are like I would see for my server's error log. I don't understand why they are in the html directory
Code:
[09-Aug-2020 04:11:52 UTC] PHP Warning:  trim() expects parameter 1 to be string, array given in /home/mycocker/public_html/blog/wp-includes/class-wp-query.php on line 777
[27-Aug-2020 23:40:52 UTC] PHP Warning:  require(/blog/wp-load.php): failed to open stream: No such file or directory in /home/mycocker/public_html/index_version1.php on line 30
[27-Aug-2020 23:40:52 UTC] PHP Fatal error:  require(): Failed opening required '/blog/wp-load.php' (include_path='.:/opt/cpanel/ea-php74/root/usr/share/pear') in /home/mycocker/public_html/index_version1.php on line 30
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,629
363
cPanel Access Level
Root Administrator
By default, the error_log gets created for PHP errors so users can see their own errors without needing root access. You can find some additional details on that process here:

 

keat63

Well-Known Member
Nov 20, 2014
1,957
266
113
cPanel Access Level
Root Administrator
I googled the file name FM_MCSformMail.dat , and whilst it's not conclusive, the fact that it only appears on this forum, would at least give me some confidence that it's not some well known malicious script.
 
  • Like
Reactions: cPRex and otakudes
Thread starter Similar threads Forum Replies Date
A Miscellaneous 4
J Miscellaneous 1