2

I have found in my server access logs that someone is trying to access GXHLGSL.txt file. It looks like automated test (it was right after trying wp-login.php).

When I googled that file I found it on several sites. It contains word TEST.

What is a purpose of it? To mark sites that allow file uploads?

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
user145678
  • 21
  • 2
  • I'm confused about what you are asking. The title does not match the body. I'm not sure this is the correct site to ask what I think you are asking ("what is this file?") – schroeder Apr 13 '17 at 08:43
  • Googling shows that they are often on FTP sites. Note [this site](http://superfon.myftp.org:9080/wymiana/%EE%80%80Ma%C5%82a%EE%80%81%20encyklopedia%20kultury%20antycznej.doc) that also contains a lot of 10 byte text files with random names and random content. –  Apr 13 '17 at 08:47
  • 1
    Also [this site](https://seo.klimin-viktor.com/ip-adresa-dlya-blokirovki.html) marks these requests as a vulnerability scan. –  Dec 13 '17 at 06:14

1 Answers1

0

There sure are a lot of sites out there with this file. It looks like someone trying to test the ability to upload a file, or upload a file and then modify it maybe.

I can't find any description of this file name being from a specific vulnerability scanner, I'd say you are right that this is a bot and not human, they could be marking sites as Google seems to index them, though I'd expect malicious users to attempt to cover their tracks and not leave evidence behind of their visit.

Things you could do - delete the file, check your permissions on your upload directory, make sure no one can execute anything, check your permitted file types and how you are preventing them, consider banning this IP and consider preventing indexing via robots file if you don't need it.

iainpb
  • 4,142
  • 2
  • 16
  • 35