Unknown files in home directory

[otakudes]

I was looking through my html directory and found a file I don't recognize. It appears to be a mail form. None of my forms ask for a phone number. I also notice error logs located in many of my html directories and wonder what they are doing out in the open. Any suggestions?

0
CgiVar---
name: redirect
state: hidden
active: 0
label:
text:
redirect urlCgiVar---
name: sort
state: hidden
active: 0
label:
text:
CgiVar---
name: return_link_title
state: hidden
active: 1
label:
text:
homepageCgiVar---
name: name
state:
active: 1
label:
text:
CgiVar---
name: title
state: hidden
active: 1
label:
text:
Your Message Has Been SentCgiVar---
name: required
state: hidden
active: 1
label:
text:
email,name,messageCgiVar---
name: print_blank_fields
state: hidden
active: 1
label:
text:
0CgiVar---
name: phone
state:
active: 0
label: Your Phone number?
text:
YourPhoneCgiVar---
name: env_report
state: hidden
active: 1
label:
text:
REMOTE_ADDR,HTTP_USER_AGENTCgiVar---
name: missing_fields_redirect
state: hidden
active: 1
label:
text:
Back to Main PageCgiVar---
name: return_link_url
state: hidden
active: 1
label:
text:
http://www.mycockerspaniel.com/index.htmCgiVar---
name: message
state:
active: 1
label:
text:
CgiVar---
name: subject
state:
active: 1
label:
text:
CgiVar---
name: recipient
state: hidden
active: 0
label:
text:
Send To:CgiVar---
name: email
state:
active: 1
label:
text:
CgiVar---
name: print_config
state: hidden
active: 0
label:
text:
email,subjectCgiVar---
name: realname
state:
active: 0
label:
text:

 

[keat63]

Is the dog web site yours ?
Whats the file name ?

 

[cPRex]

As @keat63 was getting at, if you aren't familiar with the website listed on the form, it's possible that cPanel account could be compromised. If so, you should remove the file(s) from the account, change the cPanel password for that user, and ensure that any users with access to the account scan their local systems for virus and malware.

 

[otakudes]

Yes. My site. File name was

FM_MCSformMail.dat

It sounds like a name I would have come up with. I think this is old formMail file. My site is old and moved many times. I have changed my password . Any ideas about the error log files? I had deleted them but they reappear. Haven’t tried it recently though since moving servers

 

[cPRex]

I'm not completely sure what you mean by the error log files - can you get me more details on what you're seeing with that?

 

[otakudes]

That's the file name.

File: ‘error_log’
  Size: 2098            Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 92292416    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1001/mycocker)   Gid: ( 1003/mycocker)
Context: unconfined_u:object_r:home_root_t:s0
Access: 2020-12-22 23:26:08.473803721 +0000
Modify: 2020-09-09 10:37:03.964076825 +0000
Change: 2020-09-09 10:37:03.964076825 +0000
 Birth: -

The contents are like I would see for my server's error log. I don't understand why they are in the html directory

[09-Aug-2020 04:11:52 UTC] PHP Warning:  trim() expects parameter 1 to be string, array given in /home/mycocker/public_html/blog/wp-includes/class-wp-query.php on line 777
[27-Aug-2020 23:40:52 UTC] PHP Warning:  require(/blog/wp-load.php): failed to open stream: No such file or directory in /home/mycocker/public_html/index_version1.php on line 30
[27-Aug-2020 23:40:52 UTC] PHP Fatal error:  require(): Failed opening required '/blog/wp-load.php' (include_path='.:/opt/cpanel/ea-php74/root/usr/share/pear') in /home/mycocker/public_html/index_version1.php on line 30

 

[cPRex]

By default, the error_log gets created for PHP errors so users can see their own errors without needing root access. You can find some additional details on that process here:

SOLVED - error_log in public_html?

can someone tell me how the error_log in public_html get created and logged? we have a site that is not getting theirs updated. Thanks

forums.cpanel.net

 

[otakudes]

Thanks. At least I know this is to be expected.

 

[keat63]

I googled the file name FM_MCSformMail.dat , and whilst it's not conclusive, the fact that it only appears on this forum, would at least give me some confidence that it's not some well known malicious script.