[cobalt-users] RaQ3i - Possible hack attempt? Please help!

[Robert Hughes <robert@xxxxxxxxxx>]

I've just encountered 2 alarming files on our RaQ3i.

Has anyone ever seen the following files in their /etc/httpd/conf directory?

1. fpx.httpd.conf
2. fpx.httpd.bak

They appeared out of nowhere about a week ago. I don't remember installing anything recently that would have added them.

Is it possible that this is some sort of hack attempt?

The files look just like our regular httpd.conf file ecxept for three things:

1. The main server's virtualhost directive is not included in the fpx.httpd.conf.
2. The site# in the fpx.httpd.conf is not the same as in the httpd.conf. (the regular httpd.conf file has the corrct site#s)
3. In the fpx.httpd.conf there are no rewrite conditions, alias matches, addhandlers, etc. (see below)

Please advise!!!

Regards,

Robert Hughes

Regular httpd.conf virtualhost directives:
#########################################
<VirtualHost 216.149.220.99>
ServerName www.jennyv.com
ServerAdmin admin
DocumentRoot /home/sites/site3/web
ServerAlias jennyv.com
RewriteEngine on
RewriteCond %{HTTP_HOST}                !^216.149.220.99(:80)?$
RewriteCond %{HTTP_HOST}                !^www.jennyv.com(:80)?$
RewriteRule ^/(.*)                      http://www.jennyv.com/$1 [L,R]
RewriteOptions inherit
AliasMatch ^/~([^/]+)(/(.*))? /home/sites/site3/users/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /home/sites/site3/users/$1/web/$3
AddHandler cgi-wrapper .cgi
AddHandler cgi-wrapper .pl
AddHandler server-parsed .shtml
AddType    text/html     .shtml
</VirtualHost>
#########################################

fpx.httpd.conf virtualhost directives:
#########################################
<VirtualHost questpcs.jennyv.com>
ServerName questpcs.jennyv.com
ServerAdmin admin
DocumentRoot /home/sites/site28/web
</VirtualHost>
#########################################