<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Does look like someone may be hosting phising content on your
site and sending out emails with links to those pages. Especially
that ups.com/tracking makes me lean towards that.<br>
</p>
<pre class="moz-signature" cols="72">Amit K Nepal
(CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)
</pre>
<div class="moz-cite-prefix">On 5/25/2018 1:47 AM, David Schwartz
wrote:<br>
</div>
<blockquote
cite="mid:B026E0B5-C481-4A94-BE03-F44804B891CF@thetoolwiz.com"
type="cite">
<p>I got a notice from a cPanel hosting site that one of my
accounts was nearing it’s monthly bandwidth limit.</p>
<p>That got my attention because this account has nothing going on
other than email, and there’s no reason it should be anywhere
close to its monthly bandwidth limits.</p>
<p>In particular, there were no scripts of any kind installed
other than index.php that serves as a simple welcome page
template.</p>
<p>I dug around and discovered the following entry in my FTP
access log:</p>
<p>Mon May 14 04:17:43 2018 1 186.103.199.252 147274
/home/xxxxxx/public_html/wp_count.php b _ i r xxxxxx ftp 1 * c</p>
<p>About an hour later, I found this in my HTTP log:</p>
<p>85.214.51.131 – – [14/May/2018:05:29:20 -0700] “POST
/wp_count.php HTTP/1.1” 200 827 “-” "Mozilla/5.0 (Windows NT
6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36”</p>
<p>Note that I have not used FTP on this account at all in ages.
There are no FTP users defined other than two that cPanel sets
up and I cannot disable or remove them.</p>
<p>Can anybody tell me what that FTP entry says it's doing?</p>
<p>What it appears happened is that it injected a script of some
kind that ran and then created several other folders with
different names in my public_html folder.</p>
<p>The hosting folks keep saying it was probably MY scripts that
were exploited, but i had no scripts installed.</p>
<p>The names that were given made it LOOK like I had some scripts
installed, though. Stuff you wouldn’t think twice about seeing
in a web folder.</p>
<p>Here are some more log entries that resulted from this breech:</p>
<p>85.214.51.131 – – [15/May/2018:09:53:05 -0700] “POST
/options.php HTTP/1.1” 200 115 “-” “Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 64.253.105.72 – – [15/May/2018:09:53:13 -0700]
“GET /Invoice-Corrections-for-23/86/?s HTTP/1.1” 200 2 "-”
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.36” … a ton of accesses to
this path along with POSTs to /options.php</p>
<p>every once in a while a second URL would show up (referrer?)
right before the browser type entry, and someimes it would be to
this folder on my site.</p>
<p>tons and tons of entries like this:</p>
<p>216.177.137.55 – – [16/May/2018:09:35:57 -0700] “POST
/options.php HTTP/1.1” 200 35 “-” “Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 198.199.88.162 – – [16/May/2018:09:40:20 -0700]
“POST /options.php HTTP/1.1” 200 17 “-” "Mozilla/5.0 (Windows NT
6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36”</p>
<p>with either 35 or 17 after the 200 response code</p>
<p>Then it switches to this:</p>
<p>193.150.14.77 – – [17/May/2018:10:29:44 -0700] “POST
/options.php HTTP/1.1” 200 73 “-” “Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 46.4.99.77 – – [17/May/2018:10:29:51 -0700] “GET
/vZnFeiw1/?s HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36”</p>
<p>so it’s no longer using /Invoice-Ccorrections-for… but
/vZnFeiw1</p>
<p>NOTE: each of these folders has two files in it: index.php and
web.config, which are oddly encoded scripts that were
unreadable.</p>
<p>Then it switches to this folder:</p>
<p>65.19.178.162 – – [21/May/2018:09:39:19 -0700] “POST
/options.php HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 94.176.2.155 – – [21/May/2018:09:39:31 -0700]
“GET /ups.com/WebTracking/GR-198010007/?s HTTP/1.1” 200 2 “-”
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.36”</p>
<p>Then we get some interesting stuff where GETs and POSTs are
replaced with things I’ve never seen before:</p>
<p>34.239.146.197 – – [22/May/2018:01:30:20 -0700] “OPTIONS
/ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 136704 “-”
“Microsoft Office Protocol Discovery” 34.239.146.197 – –
[22/May/2018:01:30:21 -0700] “HEAD
/ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 – “-”
“Microsoft Office Existence Discovery” 34.239.146.197 – –
[22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking
HTTP/1.1” 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601”
34.239.146.197 – – [22/May/2018:01:30:25 -0700] “OPTIONS
/ups.com/WebTracking/ HTTP/1.1” 200 – “-”
“Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
[22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking
HTTP/1.1” 301 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601”
34.239.146.197 – – [22/May/2018:01:30:25 -0700] “PROPFIND
/ups.com/WebTracking/ HTTP/1.1” 404 – “-”
“Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – –
[22/May/2018:01:30:25 -0700] “PROPFIND /ups.com HTTP/1.1” 404 –
“-” "Microsoft-WebDAV-MiniRedir/6.1.7601”</p>
<p>Then it switches to this folder:</p>
<p>193.150.14.77 – – [23/May/2018:22:41:09 -0700] “POST
/options.php HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 198.199.88.162 – – [23/May/2018:22:41:18 -0700]
“GET /Rechnungsanschrift/Rechnung-scan/?s HTTP/1.1” 200 2 “-”
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.36”</p>
<p>And at this point I started deleting things:</p>
<p>46.4.99.77 – – [24/May/2018:17:23:12 -0700] “POST /options.php
HTTP/1.1” 200 17 “-” “Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:49 -0700]
“POST /options.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT
6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:52 -0700]
“POST /assets/css/edit.php HTTP/1.1” 404 – “-” “Mozilla/5.0
(Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
[24/May/2018:17:27:58 -0700] “POST /assets/images/functions.php
HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:59 -0700]
“POST /assets/common.php HTTP/1.1” 404 – “-” “Mozilla/5.0
(Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – –
[24/May/2018:17:28:00 -0700] “POST /css/options.php HTTP/1.1”
404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
65.19.178.162 – – [24/May/2018:17:28:01 -0700] “POST
/images/config.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT
6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 65.19.178.162 – – [24/May/2018:17:28:01 -0700]
“POST /js/image.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT
6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.36” 185.220.70.236 – – [24/May/2018:17:31:17 -0700]
“GET /Rechnungsanschrift/Rechnung-scan/ HTTP/1.1” 404 – “-”
“Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET
CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E;
InfoPath.3; Zoom 3.6.0)” 208.80.194.32 – – [24/May/2018:17:32:28
-0700] “GET /vZnFeiw1/ HTTP/1.0” 404 – “-” “Mozilla/5.0
(Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110614
Firefox/3.6.18” 193.226.177.40 – – [24/May/2018:17:54:38 -0700]
“GET /ups.com/webtracking/gr-198010007 HTTP/1.1” 404 – “-”
"Mozilla/4.0”</p>
<p>Can you hear it squealing like the Wicked Witch of the East as
I started pulling the legs off of this bot net or whatever it
was?</p>
<p>Looking over the entire log, it’s pretty clear that the
/options.php file was acting as some kind of a control hub,
directing traffic and setting up additional folders with scripts
that were then accessed by others around the world.</p>
<p>I wish I could see the data that was GETted and POSTed.</p>
<p>Does this activity look familiar to anybody?</p>
<p>-David Schwartz</p>
<img moz-do-not-send="true"
src="https://u2206659.ct.sendgrid.net/wf/open?upn=6lpMB7VLnN-2Fj9-2FEErg8-2F-2BMBpb5QxlByTgv2M3fbWD9ebvC-2BWrN3h7jImK8EVWYBeU7H6-2F5ulNilPn7WybHIdbZlpA2s-2BQ-2FRgvpD26JDacjXwgWYZOrXC6ok3NkbuaCjVAkmsP0ZfMLF-2BRXaG2QrZmgsisqN50g2kSopXInzCI67tMErrLm2Xb0Lij4-2Bu-2BkBDHsqr-2B3Eyp9Kqo7-2FHqcXdwVyuMpLZ0WsUyJjxjGLZEEf-2FkCC05aLt6CPrlgiEvcOi"
alt="" style="height:1px !important;width:1px
!important;border-width:0 !important;margin-top:0
!important;margin-bottom:0 !important;margin-right:0
!important;margin-left:0 !important;padding-top:0
!important;padding-bottom:0 !important;padding-right:0
!important;padding-left:0 !important;" height="1" border="0"
width="1">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
<br>
</body>
</html>