Earlier tonight i went to run my mysql database backup script, and I found a script named mail_any.php which was owned by nobody:nobody in the directory where backups are saved.

I imediately freaked out, and deleted the file. and got to work trying to figure out how the file ended up there.

access_log doesn't show any sign of the script being used.
the folder was chmod'd to 777, it is now 755.

When i grep'd the access_log for the time that the file was created, it actually show'd my initial connection to the site.

But here's the weird part, minutes later, when I went to run command to send the output of my previous command to see what happend at the times when those files were accessed to seperate file, the access log was empty.

So, now what i'm trying to figure out is..

A) How convient is it that the log was removed at that very moment?

B) How did the file get there? What is being exploited?

C) Is there any way to recover old logs on a cpanel system?

I've tried contacting the hosting company for support, but live support is not responding, even though their homepage says live support is online.

I had already looked through the access_log for evidence of a exploit, there's nothing.

If you do a wht search for it, it shows that a few other whters have been hit by this: http://mikey.gotroot.ca/wht?q=mail_any.php

The script is saved to your directory is probably your directory is writable to everyone ~ :angel:

The script could be executed from command line rather than accessing from http so you cannot find any access to your script by looking at your access log ~ :fairy:

The access log is empty could be the log file is rotated ~ :penguin:

That was me, sorry!!! :(

gosh..

well that's great.

well, just to let the people out there know, one of mango's proxy ips is 157.91.12.70