server compromise (cPanel)

Amit Nepal amit at amitnepal.com
Fri May 25 06:39:53 MST 2018 

Does look like someone may be hosting phising content on your site and 
sending out emails with links to those pages. Especially that 
ups.com/tracking makes me lean towards that.

Amit K Nepal
(CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)

On 5/25/2018 1:47 AM, David Schwartz wrote:
>
> I got a notice from a cPanel hosting site that one of my accounts was 
> nearing it’s monthly bandwidth limit.
>
> That got my attention because this account has nothing going on other 
> than email, and there’s no reason it should be anywhere close to its 
> monthly bandwidth limits.
>
> In particular, there were no scripts of any kind installed other than 
> index.php that serves as a simple welcome page template.
>
> I dug around and discovered the following entry in my FTP access log:
>
> Mon May 14 04:17:43 2018 1 186.103.199.252 147274 
> /home/xxxxxx/public_html/wp_count.php b _ i r xxxxxx ftp 1 * c
>
> About an hour later, I found this in my HTTP log:
>
> 85.214.51.131 – – [14/May/2018:05:29:20 -0700] “POST /wp_count.php 
> HTTP/1.1” 200 827 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
>
> Note that I have not used FTP on this account at all in ages. There 
> are no FTP users defined other than two that cPanel sets up and I 
> cannot disable or remove them.
>
> Can anybody tell me what that FTP entry says it's doing?
>
> What it appears happened is that it injected a script of some kind 
> that ran and then created several other folders with different names 
> in my public_html folder.
>
> The hosting folks keep saying it was probably MY scripts that were 
> exploited, but i had no scripts installed.
>
> The names that were given made it LOOK like I had some scripts 
> installed, though. Stuff you wouldn’t think twice about seeing in a 
> web folder.
>
> Here are some more log entries that resulted from this breech:
>
> 85.214.51.131 – – [15/May/2018:09:53:05 -0700] “POST /options.php 
> HTTP/1.1” 200 115 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 64.253.105.72 – 
> – [15/May/2018:09:53:13 -0700] “GET /Invoice-Corrections-for-23/86/?s 
> HTTP/1.1” 200 2 "-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” … a ton of 
> accesses to this path along with POSTs to /options.php
>
> every once in a while a second URL would show up (referrer?) right 
> before the browser type entry, and someimes it would be to this folder 
> on my site.
>
> tons and tons of entries like this:
>
> 216.177.137.55 – – [16/May/2018:09:35:57 -0700] “POST /options.php 
> HTTP/1.1” 200 35 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – 
> – [16/May/2018:09:40:20 -0700] “POST /options.php HTTP/1.1” 200 17 “-” 
> "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/41.0.2228.0 Safari/537.36”
>
> with either 35 or 17 after the 200 response code
>
> Then it switches to this:
>
> 193.150.14.77 – – [17/May/2018:10:29:44 -0700] “POST /options.php 
> HTTP/1.1” 200 73 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 46.4.99.77 – – 
> [17/May/2018:10:29:51 -0700] “GET /vZnFeiw1/?s HTTP/1.1” 200 2 “-” 
> "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/41.0.2228.0 Safari/537.36”
>
> so it’s no longer using /Invoice-Ccorrections-for… but /vZnFeiw1
>
> NOTE: each of these folders has two files in it: index.php and 
> web.config, which are oddly encoded scripts that were unreadable.
>
> Then it switches to this folder:
>
> 65.19.178.162 – – [21/May/2018:09:39:19 -0700] “POST /options.php 
> HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 94.176.2.155 – – 
> [21/May/2018:09:39:31 -0700] “GET /ups.com/WebTracking/GR-198010007/?s 
> HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
>
> Then we get some interesting stuff where GETs and POSTs are replaced 
> with things I’ve never seen before:
>
> 34.239.146.197 – – [22/May/2018:01:30:20 -0700] “OPTIONS 
> /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 136704 “-” “Microsoft 
> Office Protocol Discovery” 34.239.146.197 – – [22/May/2018:01:30:21 
> -0700] “HEAD /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 – “-” 
> “Microsoft Office Existence Discovery” 34.239.146.197 – – 
> [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking HTTP/1.1” 
> 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – 
> [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking/ HTTP/1.1” 
> 200 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – 
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking HTTP/1.1” 
> 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – 
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking/ HTTP/1.1” 
> 404 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – 
> [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com HTTP/1.1” 404 – “-” 
> "Microsoft-WebDAV-MiniRedir/6.1.7601”
>
> Then it switches to this folder:
>
> 193.150.14.77 – – [23/May/2018:22:41:09 -0700] “POST /options.php 
> HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – 
> – [23/May/2018:22:41:18 -0700] “GET 
> /Rechnungsanschrift/Rechnung-scan/?s HTTP/1.1” 200 2 “-” "Mozilla/5.0 
> (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/41.0.2228.0 Safari/537.36”
>
> And at this point I started deleting things:
>
> 46.4.99.77 – – [24/May/2018:17:23:12 -0700] “POST /options.php 
> HTTP/1.1” 200 17 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – 
> – [24/May/2018:17:27:49 -0700] “POST /options.php HTTP/1.1” 404 – “-” 
> “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – 
> [24/May/2018:17:27:52 -0700] “POST /assets/css/edit.php HTTP/1.1” 404 
> – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like 
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – 
> [24/May/2018:17:27:58 -0700] “POST /assets/images/functions.php 
> HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – 
> – [24/May/2018:17:27:59 -0700] “POST /assets/common.php HTTP/1.1” 404 
> – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like 
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – 
> [24/May/2018:17:28:00 -0700] “POST /css/options.php HTTP/1.1” 404 – 
> “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like 
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – 
> [24/May/2018:17:28:01 -0700] “POST /images/config.php HTTP/1.1” 404 – 
> “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like 
> Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – 
> [24/May/2018:17:28:01 -0700] “POST /js/image.php HTTP/1.1” 404 – “-” 
> “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/41.0.2228.0 Safari/537.36” 185.220.70.236 – – 
> [24/May/2018:17:31:17 -0700] “GET /Rechnungsanschrift/Rechnung-scan/ 
> HTTP/1.1” 404 – “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 
> 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 
> 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; 
> .NET4.0E; InfoPath.3; Zoom 3.6.0)” 208.80.194.32 – – 
> [24/May/2018:17:32:28 -0700] “GET /vZnFeiw1/ HTTP/1.0” 404 – “-” 
> “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) 
> Gecko/20110614 Firefox/3.6.18” 193.226.177.40 – – 
> [24/May/2018:17:54:38 -0700] “GET /ups.com/webtracking/gr-198010007 
> HTTP/1.1” 404 – “-” "Mozilla/4.0”
>
> Can you hear it squealing like the Wicked Witch of the East as I 
> started pulling the legs off of this bot net or whatever it was?
>
> Looking over the entire log, it’s pretty clear that the /options.php 
> file was acting as some kind of a control hub, directing traffic and 
> setting up additional folders with scripts that were then accessed by 
> others around the world.
>
> I wish I could see the data that was GETted and POSTed.
>
> Does this activity look familiar to anybody?
>
> -David Schwartz
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20180525/75e8d1d0/attachment.html>

More information about the PLUG-discuss mailing list