The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com ~ excerpt from Giani Amoto
There is workaround for statcounter update.sh ip2location informations leak
check out this posts at kakkoi → Statcounter Update.sh Vulnerability Fixes
add the following htaccess code in statcounter /utils/ directory.
#deny access to any file with *.sh filetypes <Files ~ "^\.sh"> Order allow,deny Deny from all Satisfy All </Files> #Deny request for *.log & comment files <Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])"> Order allow,deny Deny from all Satisfy All </Files>