I connected to my FTP site today via anonymous FTP and noticed that my site had a /mail subfolder in it with some files that are *not* mine ... I tried logging on with my admin account but could not locate the files anywhere within my directory structure.

What gives?

go to ftp://razorangel.com/mail/

I did not place any of those files there, no do I know where they reside on my account.

What gives?

It was an FTP bug and it has is fixed now

I have the exact same situation on my account, and this phantom /mail directory was last modified in mid-June of this year. So how has it been fixed?

I'm on server20. Maybe you didn't do the fix on all machines?

Also, I have Anonymous FTP turned off but I can get in with "anonymous" and "ftp" usernames and any password with the at sign. Please explain.

--
BF

the same at: ftp://ftp.wizhosting.com/
server20

same here server 23 in all my domains

So how about it Hostony? This has been up for two days. A response please?

There is something very strange about these /mail directories. They aren't even visible with a global FIND command from an account owner logged in as root... It's almost as if, as if... well, as I said, Hostony, please explain.

--
BF

Dear customers, we are now investigating the origin of those files in your subdirectories.
We'll update this topic soon
(Just wanted to let you know that we are looking into this.)

Glad you're on top of it. When you've found the cause would you please delete these files? On my account they are using significant space.

BTW, one file in my /mail directory is named "alex.swf". Wasn't Alex the name of an admin there?

--
BF

brikface, sure, but the only problem is that you forgot to mention your domain name here Please provide it asap for me to delete those files. By the way, the problem was with anonymous FTP configuration.

Kendric Moxon, the files from your /mail directory were deleted.

My domain is cleonproductions.com. Thank you sir.

--
BF

brikface, the malicious files from your mail directory are deleted. You have now more webspace available.

Ok it's good the files are deleted but when you say "the problem was with anonymous FTP configuration", that doesn't quite tell the whole story. Yes, a mistake in anonymous FTP config made this possible, but there must have been an individual or a group working together who exploited the mistake in such a consistent way across so many servers. In all cases a strange "/mail" subdirectory on the same level as "/home/account/pub" was used. Apparently in all cases the "/mail" subdir was used as storage for illegal software (on my server there was a full version of Sonic Foundry). But the nature of these subdirectories was very strange. As noted above by me and another user, they were not visible in the normal file system available to us through jailshell. This strongly suggests 1) An inside job, or 2) Hackers gained access to your servers on a root level. The fact that he/she or they sniffed out and hijacked specific user accounts also shows he/she or they were operating at a global root or close-to-global-root level outside the jailshell.

Please tell us what you can about this. I can understand if you want to stay silent on certain issues, but you could at least give us an indication that you're aware this wasn't just a case of random people on the net thinking they were using Anon FTP-- that you're aware it was a pretty sophisticated action possibly by one of your current or former co-workers.

--
BF

Dear customer, it was a cpanel bug with anonymous FTP configuration. We have written a report to the cpanel developers. Our admins tried to fix this bug on their own, but there is still no chance to do it. But I assure you, that there is nothing stange or suspicious about those files, they are not connected with hacker attacks, unsolicited video/mp3/soft whatever. Nobody has got access to the servers, our root passwords are changed at least two-three times a week. Please stop the panic and just believe me that there is nothing to worry about so much.