Re: server compromise (cPanel)

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MAmit Nepal at <-
MDavid Schwartz at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Stephen Partington
Date:  
To: Amit Nepal, Main PLUG discussion list
Subject: Re: server compromise (cPanel)
It looks like they were trying to mimic wordpress or files from WordPress.

On Fri, May 25, 2018, 6:45 AM Amit Nepal <> wrote:

> Does look like someone may be hosting phising content on your site and
> sending out emails with links to those pages. Especially that
> ups.com/tracking makes me lean towards that.
>
> Amit K Nepal
> (CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)
>
>
> On 5/25/2018 1:47 AM, David Schwartz wrote:
>
> I got a notice from a cPanel hosting site that one of my accounts was
> nearing it’s monthly bandwidth limit.
>
> That got my attention because this account has nothing going on other than
> email, and there’s no reason it should be anywhere close to its monthly
> bandwidth limits.
>
> In particular, there were no scripts of any kind installed other than
> index.php that serves as a simple welcome page template.
>
> I dug around and discovered the following entry in my FTP access log:
>
> Mon May 14 04:17:43 2018 1 186.103.199.252 147274
> /home/xxxxxx/public_html/wp_count.php b _ i r xxxxxx ftp 1 * c
>
> About an hour later, I found this in my HTTP log:
>
> 85.214.51.131 – – [14/May/2018:05:29:20 -0700] “POST /wp_count.php
> HTTP/1.1” 200 827 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
>
> Note that I have not used FTP on this account at all in ages. There are no
> FTP users defined other than two that cPanel sets up and I cannot disable
> or remove them.
>
> Can anybody tell me what that FTP entry says it's doing?
>
> What it appears happened is that it injected a script of some kind that
> ran and then created several other folders with different names in my
> public_html folder.
>
> The hosting folks keep saying it was probably MY scripts that were
> exploited, but i had no scripts installed.
>
> The names that were given made it LOOK like I had some scripts installed,
> though. Stuff you wouldn’t think twice about seeing in a web folder.
>
> Here are some more log entries that resulted from this breech:
>
> 85.214.51.131 – – [15/May/2018:09:53:05 -0700] “POST /options.php
> HTTP/1.1” 200 115 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 64.253.105.72 – –
> [15/May/2018:09:53:13 -0700] “GET /Invoice-Corrections-for-23/86/?s
> HTTP/1.1” 200 2 "-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” … a ton of accesses
> to this path along with POSTs to /options.php
>
> every once in a while a second URL would show up (referrer?) right before
> the browser type entry, and someimes it would be to this folder on my site.
>
> tons and tons of entries like this:
>
> 216.177.137.55 – – [16/May/2018:09:35:57 -0700] “POST /options.php
> HTTP/1.1” 200 35 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – –
> [16/May/2018:09:40:20 -0700] “POST /options.php HTTP/1.1” 200 17 “-”
> "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36”
>
> with either 35 or 17 after the 200 response code
>
> Then it switches to this:
>
> 193.150.14.77 – – [17/May/2018:10:29:44 -0700] “POST /options.php
> HTTP/1.1” 200 73 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 46.4.99.77 – –
> [17/May/2018:10:29:51 -0700] “GET /vZnFeiw1/?s HTTP/1.1” 200 2 “-”
> "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36”
>
> so it’s no longer using /Invoice-Ccorrections-for… but /vZnFeiw1
>
> NOTE: each of these folders has two files in it: index.php and web.config,
> which are oddly encoded scripts that were unreadable.
>
> Then it switches to this folder:
>
> 65.19.178.162 – – [21/May/2018:09:39:19 -0700] “POST /options.php
> HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 94.176.2.155 – –
> [21/May/2018:09:39:31 -0700] “GET /ups.com/WebTracking/GR-198010007/?s
> HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
>
> Then we get some interesting stuff where GETs and POSTs are replaced with
> things I’ve never seen before:
>
> 34.239.146.197 – – [22/May/2018:01:30:20 -0700] “OPTIONS /
> ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 136704 “-” “Microsoft
> Office Protocol Discovery” 34.239.146.197 – – [22/May/2018:01:30:21 -0700]
> “HEAD /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 – “-” “Microsoft
> Office Existence Discovery” 34.239.146.197 – – [22/May/2018:01:30:25 -0700]
> “OPTIONS /ups.com/WebTracking HTTP/1.1” 301 246 “-”
> “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking/ HTTP/1.1” 200
> – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking HTTP/1.1” 301
> 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking/ HTTP/1.1”
> 404 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com HTTP/1.1” 404 – “-”
> "Microsoft-WebDAV-MiniRedir/6.1.7601”
>
> Then it switches to this folder:
>
> 193.150.14.77 – – [23/May/2018:22:41:09 -0700] “POST /options.php
> HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – –
> [23/May/2018:22:41:18 -0700] “GET /Rechnungsanschrift/Rechnung-scan/?s
> HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
>
> And at this point I started deleting things:
>
> 46.4.99.77 – – [24/May/2018:17:23:12 -0700] “POST /options.php HTTP/1.1”
> 200 17 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
> [24/May/2018:17:27:49 -0700] “POST /options.php HTTP/1.1” 404 – “-”
> “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:52
> -0700] “POST /assets/css/edit.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows
> NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
> Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:58 -0700] “POST
> /assets/images/functions.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT
> 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
> Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:59 -0700] “POST
> /assets/common.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
> 65.19.178.162 – – [24/May/2018:17:28:00 -0700] “POST /css/options.php
> HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
> [24/May/2018:17:28:01 -0700] “POST /images/config.php HTTP/1.1” 404 – “-”
> “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:28:01
> -0700] “POST /js/image.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT
> 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
> Safari/537.36” 185.220.70.236 – – [24/May/2018:17:31:17 -0700] “GET
> /Rechnungsanschrift/Rechnung-scan/ HTTP/1.1” 404 – “-” “Mozilla/4.0
> (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR
> 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC
> 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)” 208.80.194.32 – –
> [24/May/2018:17:32:28 -0700] “GET /vZnFeiw1/ HTTP/1.0” 404 – “-”
> “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18)
> Gecko/20110614 Firefox/3.6.18” 193.226.177.40 – – [24/May/2018:17:54:38
> -0700] “GET /ups.com/webtracking/gr-198010007 HTTP/1.1” 404 – “-”
> "Mozilla/4.0”
>
> Can you hear it squealing like the Wicked Witch of the East as I started
> pulling the legs off of this bot net or whatever it was?
>
> Looking over the entire log, it’s pretty clear that the /options.php file
> was acting as some kind of a control hub, directing traffic and setting up
> additional folders with scripts that were then accessed by others around
> the world.
>
> I wish I could see the data that was GETted and POSTed.
>
> Does this activity look familiar to anybody?
>
> -David Schwartz
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-PIA VPNRe: PIA VPN->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)