Does look like someone may be hosting phising content on your site and sending out emails with links to those pages. Especially that ups.com/tracking makes me lean towards that. Amit K Nepal (CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist) On 5/25/2018 1:47 AM, David Schwartz wrote: > > I got a notice from a cPanel hosting site that one of my accounts was > nearing it’s monthly bandwidth limit. > > That got my attention because this account has nothing going on other > than email, and there’s no reason it should be anywhere close to its > monthly bandwidth limits. > > In particular, there were no scripts of any kind installed other than > index.php that serves as a simple welcome page template. > > I dug around and discovered the following entry in my FTP access log: > > Mon May 14 04:17:43 2018 1 186.103.199.252 147274 > /home/xxxxxx/public_html/wp_count.php b _ i r xxxxxx ftp 1 * c > > About an hour later, I found this in my HTTP log: > > 85.214.51.131 – – [14/May/2018:05:29:20 -0700] “POST /wp_count.php > HTTP/1.1” 200 827 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” > > Note that I have not used FTP on this account at all in ages. There > are no FTP users defined other than two that cPanel sets up and I > cannot disable or remove them. > > Can anybody tell me what that FTP entry says it's doing? > > What it appears happened is that it injected a script of some kind > that ran and then created several other folders with different names > in my public_html folder. > > The hosting folks keep saying it was probably MY scripts that were > exploited, but i had no scripts installed. > > The names that were given made it LOOK like I had some scripts > installed, though. Stuff you wouldn’t think twice about seeing in a > web folder. > > Here are some more log entries that resulted from this breech: > > 85.214.51.131 – – [15/May/2018:09:53:05 -0700] “POST /options.php > HTTP/1.1” 200 115 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 64.253.105.72 – > – [15/May/2018:09:53:13 -0700] “GET /Invoice-Corrections-for-23/86/?s > HTTP/1.1” 200 2 "-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” … a ton of > accesses to this path along with POSTs to /options.php > > every once in a while a second URL would show up (referrer?) right > before the browser type entry, and someimes it would be to this folder > on my site. > > tons and tons of entries like this: > > 216.177.137.55 – – [16/May/2018:09:35:57 -0700] “POST /options.php > HTTP/1.1” 200 35 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – > – [16/May/2018:09:40:20 -0700] “POST /options.php HTTP/1.1” 200 17 “-” > "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” > > with either 35 or 17 after the 200 response code > > Then it switches to this: > > 193.150.14.77 – – [17/May/2018:10:29:44 -0700] “POST /options.php > HTTP/1.1” 200 73 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 46.4.99.77 – – > [17/May/2018:10:29:51 -0700] “GET /vZnFeiw1/?s HTTP/1.1” 200 2 “-” > "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” > > so it’s no longer using /Invoice-Ccorrections-for… but /vZnFeiw1 > > NOTE: each of these folders has two files in it: index.php and > web.config, which are oddly encoded scripts that were unreadable. > > Then it switches to this folder: > > 65.19.178.162 – – [21/May/2018:09:39:19 -0700] “POST /options.php > HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 94.176.2.155 – – > [21/May/2018:09:39:31 -0700] “GET /ups.com/WebTracking/GR-198010007/?s > HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” > > Then we get some interesting stuff where GETs and POSTs are replaced > with things I’ve never seen before: > > 34.239.146.197 – – [22/May/2018:01:30:20 -0700] “OPTIONS > /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 136704 “-” “Microsoft > Office Protocol Discovery” 34.239.146.197 – – [22/May/2018:01:30:21 > -0700] “HEAD /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 – “-” > “Microsoft Office Existence Discovery” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking HTTP/1.1” > 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking/ HTTP/1.1” > 200 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking HTTP/1.1” > 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking/ HTTP/1.1” > 404 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com HTTP/1.1” 404 – “-” > "Microsoft-WebDAV-MiniRedir/6.1.7601” > > Then it switches to this folder: > > 193.150.14.77 – – [23/May/2018:22:41:09 -0700] “POST /options.php > HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – > – [23/May/2018:22:41:18 -0700] “GET > /Rechnungsanschrift/Rechnung-scan/?s HTTP/1.1” 200 2 “-” "Mozilla/5.0 > (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” > > And at this point I started deleting things: > > 46.4.99.77 – – [24/May/2018:17:23:12 -0700] “POST /options.php > HTTP/1.1” 200 17 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – > – [24/May/2018:17:27:49 -0700] “POST /options.php HTTP/1.1” 404 – “-” > “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – > [24/May/2018:17:27:52 -0700] “POST /assets/css/edit.php HTTP/1.1” 404 > – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – > [24/May/2018:17:27:58 -0700] “POST /assets/images/functions.php > HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – > – [24/May/2018:17:27:59 -0700] “POST /assets/common.php HTTP/1.1” 404 > – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – > [24/May/2018:17:28:00 -0700] “POST /css/options.php HTTP/1.1” 404 – > “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – > [24/May/2018:17:28:01 -0700] “POST /images/config.php HTTP/1.1” 404 – > “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – > [24/May/2018:17:28:01 -0700] “POST /js/image.php HTTP/1.1” 404 – “-” > “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” 185.220.70.236 – – > [24/May/2018:17:31:17 -0700] “GET /Rechnungsanschrift/Rechnung-scan/ > HTTP/1.1” 404 – “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT > 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR > 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; > .NET4.0E; InfoPath.3; Zoom 3.6.0)” 208.80.194.32 – – > [24/May/2018:17:32:28 -0700] “GET /vZnFeiw1/ HTTP/1.0” 404 – “-” > “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) > Gecko/20110614 Firefox/3.6.18” 193.226.177.40 – – > [24/May/2018:17:54:38 -0700] “GET /ups.com/webtracking/gr-198010007 > HTTP/1.1” 404 – “-” "Mozilla/4.0” > > Can you hear it squealing like the Wicked Witch of the East as I > started pulling the legs off of this bot net or whatever it was? > > Looking over the entire log, it’s pretty clear that the /options.php > file was acting as some kind of a control hub, directing traffic and > setting up additional folders with scripts that were then accessed by > others around the world. > > I wish I could see the data that was GETted and POSTed. > > Does this activity look familiar to anybody? > > -David Schwartz > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss