Re: server compromise (cPanel)

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMDavid Schwartz at <-
MMStephen Partington at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Amit Nepal
Date:  
To: plug-discuss
Subject: Re: server compromise (cPanel)
Does look like someone may be hosting phising content on your site and
sending out emails with links to those pages. Especially that
ups.com/tracking makes me lean towards that.

Amit K Nepal
(CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)

On 5/25/2018 1:47 AM, David Schwartz wrote:
>
> I got a notice from a cPanel hosting site that one of my accounts was
> nearing it’s monthly bandwidth limit.
>
> That got my attention because this account has nothing going on other
> than email, and there’s no reason it should be anywhere close to its
> monthly bandwidth limits.
>
> In particular, there were no scripts of any kind installed other than
> index.php that serves as a simple welcome page template.
>
> I dug around and discovered the following entry in my FTP access log:
>
> Mon May 14 04:17:43 2018 1 186.103.199.252 147274
> /home/xxxxxx/public_html/wp_count.php b _ i r xxxxxx ftp 1 * c
>
> About an hour later, I found this in my HTTP log:
>
> 85.214.51.131 – – [14/May/2018:05:29:20 -0700] “POST /wp_count.php
> HTTP/1.1” 200 827 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
>
> Note that I have not used FTP on this account at all in ages. There
> are no FTP users defined other than two that cPanel sets up and I
> cannot disable or remove them.
>
> Can anybody tell me what that FTP entry says it's doing?
>
> What it appears happened is that it injected a script of some kind
> that ran and then created several other folders with different names
> in my public_html folder.
>
> The hosting folks keep saying it was probably MY scripts that were
> exploited, but i had no scripts installed.
>
> The names that were given made it LOOK like I had some scripts
> installed, though. Stuff you wouldn’t think twice about seeing in a
> web folder.
>
> Here are some more log entries that resulted from this breech:
>
> 85.214.51.131 – – [15/May/2018:09:53:05 -0700] “POST /options.php
> HTTP/1.1” 200 115 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 64.253.105.72 –
> – [15/May/2018:09:53:13 -0700] “GET /Invoice-Corrections-for-23/86/?s
> HTTP/1.1” 200 2 "-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” … a ton of
> accesses to this path along with POSTs to /options.php
>
> every once in a while a second URL would show up (referrer?) right
> before the browser type entry, and someimes it would be to this folder
> on my site.
>
> tons and tons of entries like this:
>
> 216.177.137.55 – – [16/May/2018:09:35:57 -0700] “POST /options.php
> HTTP/1.1” 200 35 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 –
> – [16/May/2018:09:40:20 -0700] “POST /options.php HTTP/1.1” 200 17 “-”
> "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36”
>
> with either 35 or 17 after the 200 response code
>
> Then it switches to this:
>
> 193.150.14.77 – – [17/May/2018:10:29:44 -0700] “POST /options.php
> HTTP/1.1” 200 73 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 46.4.99.77 – –
> [17/May/2018:10:29:51 -0700] “GET /vZnFeiw1/?s HTTP/1.1” 200 2 “-”
> "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36”
>
> so it’s no longer using /Invoice-Ccorrections-for… but /vZnFeiw1
>
> NOTE: each of these folders has two files in it: index.php and
> web.config, which are oddly encoded scripts that were unreadable.
>
> Then it switches to this folder:
>
> 65.19.178.162 – – [21/May/2018:09:39:19 -0700] “POST /options.php
> HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 94.176.2.155 – –
> [21/May/2018:09:39:31 -0700] “GET /ups.com/WebTracking/GR-198010007/?s
> HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
>
> Then we get some interesting stuff where GETs and POSTs are replaced
> with things I’ve never seen before:
>
> 34.239.146.197 – – [22/May/2018:01:30:20 -0700] “OPTIONS
> /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 136704 “-” “Microsoft
> Office Protocol Discovery” 34.239.146.197 – – [22/May/2018:01:30:21
> -0700] “HEAD /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 – “-”
> “Microsoft Office Existence Discovery” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking HTTP/1.1”
> 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking/ HTTP/1.1”
> 200 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking HTTP/1.1”
> 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking/ HTTP/1.1”
> 404 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com HTTP/1.1” 404 – “-”
> "Microsoft-WebDAV-MiniRedir/6.1.7601”
>
> Then it switches to this folder:
>
> 193.150.14.77 – – [23/May/2018:22:41:09 -0700] “POST /options.php
> HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 –
> – [23/May/2018:22:41:18 -0700] “GET
> /Rechnungsanschrift/Rechnung-scan/?s HTTP/1.1” 200 2 “-” "Mozilla/5.0
> (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36”
>
> And at this point I started deleting things:
>
> 46.4.99.77 – – [24/May/2018:17:23:12 -0700] “POST /options.php
> HTTP/1.1” 200 17 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 –
> – [24/May/2018:17:27:49 -0700] “POST /options.php HTTP/1.1” 404 – “-”
> “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
> [24/May/2018:17:27:52 -0700] “POST /assets/css/edit.php HTTP/1.1” 404
> – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
> [24/May/2018:17:27:58 -0700] “POST /assets/images/functions.php
> HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 –
> – [24/May/2018:17:27:59 -0700] “POST /assets/common.php HTTP/1.1” 404
> – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
> [24/May/2018:17:28:00 -0700] “POST /css/options.php HTTP/1.1” 404 –
> “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
> [24/May/2018:17:28:01 -0700] “POST /images/config.php HTTP/1.1” 404 –
> “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
> [24/May/2018:17:28:01 -0700] “POST /js/image.php HTTP/1.1” 404 – “-”
> “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36” 185.220.70.236 – –
> [24/May/2018:17:31:17 -0700] “GET /Rechnungsanschrift/Rechnung-scan/
> HTTP/1.1” 404 – “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT
> 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR
> 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C;
> .NET4.0E; InfoPath.3; Zoom 3.6.0)” 208.80.194.32 – –
> [24/May/2018:17:32:28 -0700] “GET /vZnFeiw1/ HTTP/1.0” 404 – “-”
> “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18)
> Gecko/20110614 Firefox/3.6.18” 193.226.177.40 – –
> [24/May/2018:17:54:38 -0700] “GET /ups.com/webtracking/gr-198010007
> HTTP/1.1” 404 – “-” "Mozilla/4.0”
>
> Can you hear it squealing like the Wicked Witch of the East as I
> started pulling the legs off of this bot net or whatever it was?
>
> Looking over the entire log, it’s pretty clear that the /options.php
> file was acting as some kind of a control hub, directing traffic and
> setting up additional folders with scripts that were then accessed by
> others around the world.
>
> I wish I could see the data that was GETted and POSTed.
>
> Does this activity look familiar to anybody?
>
> -David Schwartz
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-server compromise (cPanel)PIA VPN->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)