<html><body>
<p>I got a notice from a cPanel hosting site that one of my accounts was nearing it’s monthly bandwidth limit.</p>
<p>That got my attention because this account has nothing going on other than email, and there’s no reason it should be anywhere close to its monthly bandwidth limits.</p>
<p>In particular, there were no scripts of any kind installed other than index.php that serves as a simple welcome page template.</p>
<p>I dug around and discovered the following entry in my FTP access log:</p>
<p>Mon May 14 04:17:43 2018 1 186.103.199.252 147274 /home/xxxxxx/public_html/wp_count.php b _ i r xxxxxx ftp 1 * c</p>
<p>About an hour later, I found this in my HTTP log:</p>
<p>85.214.51.131 – – [14/May/2018:05:29:20 -0700] “POST /wp_count.php HTTP/1.1” 200 827 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”</p>
<p>Note that I have not used FTP on this account at all in ages. There are no FTP users defined other than two that cPanel sets up and I cannot disable or remove them.</p>
<p>Can anybody tell me what that FTP entry says it's doing?</p>
<p>What it appears happened is that it injected a script of some kind that ran and then created several other folders with different names in my public_html folder.</p>
<p>The hosting folks keep saying it was probably MY scripts that were exploited, but i had no scripts installed.</p>
<p>The names that were given made it LOOK like I had some scripts installed, though. Stuff you wouldn’t think twice about seeing in a web folder.</p>
<p>Here are some more log entries that resulted from this breech:</p>
<p>85.214.51.131 – – [15/May/2018:09:53:05 -0700] “POST /options.php HTTP/1.1” 200 115 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 64.253.105.72 – – [15/May/2018:09:53:13 -0700] “GET /Invoice-Corrections-for-23/86/?s HTTP/1.1” 200 2 "-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” … a ton of accesses to this path along with POSTs to /options.php</p>
<p>every once in a while a second URL would show up (referrer?) right before the browser type entry, and someimes it would be to this folder on my site.</p>
<p>tons and tons of entries like this:</p>
<p>216.177.137.55 – – [16/May/2018:09:35:57 -0700] “POST /options.php HTTP/1.1” 200 35 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – – [16/May/2018:09:40:20 -0700] “POST /options.php HTTP/1.1” 200 17 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”</p>
<p>with either 35 or 17 after the 200 response code</p>
<p>Then it switches to this:</p>
<p>193.150.14.77 – – [17/May/2018:10:29:44 -0700] “POST /options.php HTTP/1.1” 200 73 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 46.4.99.77 – – [17/May/2018:10:29:51 -0700] “GET /vZnFeiw1/?s HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”</p>
<p>so it’s no longer using /Invoice-Ccorrections-for… but /vZnFeiw1</p>
<p>NOTE: each of these folders has two files in it: index.php and web.config, which are oddly encoded scripts that were unreadable.</p>
<p>Then it switches to this folder:</p>
<p>65.19.178.162 – – [21/May/2018:09:39:19 -0700] “POST /options.php HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 94.176.2.155 – – [21/May/2018:09:39:31 -0700] “GET /ups.com/WebTracking/GR-198010007/?s HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”</p>
<p>Then we get some interesting stuff where GETs and POSTs are replaced with things I’ve never seen before:</p>
<p>34.239.146.197 – – [22/May/2018:01:30:20 -0700] “OPTIONS /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 136704 “-” “Microsoft Office Protocol Discovery” 34.239.146.197 – – [22/May/2018:01:30:21 -0700] “HEAD /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 – “-” “Microsoft Office Existence Discovery” 34.239.146.197 – – [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking HTTP/1.1” 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking/ HTTP/1.1” 200 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking HTTP/1.1” 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking/ HTTP/1.1” 404 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com HTTP/1.1” 404 – “-” "Microsoft-WebDAV-MiniRedir/6.1.7601”</p>
<p>Then it switches to this folder:</p>
<p>193.150.14.77 – – [23/May/2018:22:41:09 -0700] “POST /options.php HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – – [23/May/2018:22:41:18 -0700] “GET /Rechnungsanschrift/Rechnung-scan/?s HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”</p>
<p>And at this point I started deleting things:</p>
<p>46.4.99.77 – – [24/May/2018:17:23:12 -0700] “POST /options.php HTTP/1.1” 200 17 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:49 -0700] “POST /options.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:52 -0700] “POST /assets/css/edit.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:58 -0700] “POST /assets/images/functions.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:59 -0700] “POST /assets/common.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:28:00 -0700] “POST /css/options.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:28:01 -0700] “POST /images/config.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:28:01 -0700] “POST /js/image.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 185.220.70.236 – – [24/May/2018:17:31:17 -0700] “GET /Rechnungsanschrift/Rechnung-scan/ HTTP/1.1” 404 – “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)” 208.80.194.32 – – [24/May/2018:17:32:28 -0700] “GET /vZnFeiw1/ HTTP/1.0” 404 – “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18” 193.226.177.40 – – [24/May/2018:17:54:38 -0700] “GET /ups.com/webtracking/gr-198010007 HTTP/1.1” 404 – “-” "Mozilla/4.0”</p>
<p>Can you hear it squealing like the Wicked Witch of the East as I started pulling the legs off of this bot net or whatever it was?</p>
<p>Looking over the entire log, it’s pretty clear that the /options.php file was acting as some kind of a control hub, directing traffic and setting up additional folders with scripts that were then accessed by others around the world.</p>
<p>I wish I could see the data that was GETted and POSTed.</p>
<p>Does this activity look familiar to anybody?</p>
<p>-David Schwartz</p>
<img src="https://u2206659.ct.sendgrid.net/wf/open?upn=6lpMB7VLnN-2Fj9-2FEErg8-2F-2BMBpb5QxlByTgv2M3fbWD9ebvC-2BWrN3h7jImK8EVWYBeU7H6-2F5ulNilPn7WybHIdbZlpA2s-2BQ-2FRgvpD26JDacjXwgWYZOrXC6ok3NkbuaCjVAkmsP0ZfMLF-2BRXaG2QrZmgsisqN50g2kSopXInzCI67tMErrLm2Xb0Lij4-2Bu-2BkBDHsqr-2B3Eyp9Kqo7-2FHqcXdwVyuMpLZ0WsUyJjxjGLZEEf-2FkCC05aLt6CPrlgiEvcOi" alt="" width="1" height="1" border="0" style="height:1px !important;width:1px !important;border-width:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-right:0 !important;margin-left:0 !important;padding-top:0 !important;padding-bottom:0 !important;padding-right:0 !important;padding-left:0 !important;"/>
</body></html>