It looks like they were trying to mimic wordpress or files from WordPress. On Fri, May 25, 2018, 6:45 AM Amit Nepal wrote: > Does look like someone may be hosting phising content on your site and > sending out emails with links to those pages. Especially that > ups.com/tracking makes me lean towards that. > > Amit K Nepal > (CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist) > > > On 5/25/2018 1:47 AM, David Schwartz wrote: > > I got a notice from a cPanel hosting site that one of my accounts was > nearing it’s monthly bandwidth limit. > > That got my attention because this account has nothing going on other than > email, and there’s no reason it should be anywhere close to its monthly > bandwidth limits. > > In particular, there were no scripts of any kind installed other than > index.php that serves as a simple welcome page template. > > I dug around and discovered the following entry in my FTP access log: > > Mon May 14 04:17:43 2018 1 186.103.199.252 147274 > /home/xxxxxx/public_html/wp_count.php b _ i r xxxxxx ftp 1 * c > > About an hour later, I found this in my HTTP log: > > 85.214.51.131 – – [14/May/2018:05:29:20 -0700] “POST /wp_count.php > HTTP/1.1” 200 827 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” > > Note that I have not used FTP on this account at all in ages. There are no > FTP users defined other than two that cPanel sets up and I cannot disable > or remove them. > > Can anybody tell me what that FTP entry says it's doing? > > What it appears happened is that it injected a script of some kind that > ran and then created several other folders with different names in my > public_html folder. > > The hosting folks keep saying it was probably MY scripts that were > exploited, but i had no scripts installed. > > The names that were given made it LOOK like I had some scripts installed, > though. Stuff you wouldn’t think twice about seeing in a web folder. > > Here are some more log entries that resulted from this breech: > > 85.214.51.131 – – [15/May/2018:09:53:05 -0700] “POST /options.php > HTTP/1.1” 200 115 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 64.253.105.72 – – > [15/May/2018:09:53:13 -0700] “GET /Invoice-Corrections-for-23/86/?s > HTTP/1.1” 200 2 "-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” … a ton of accesses > to this path along with POSTs to /options.php > > every once in a while a second URL would show up (referrer?) right before > the browser type entry, and someimes it would be to this folder on my site. > > tons and tons of entries like this: > > 216.177.137.55 – – [16/May/2018:09:35:57 -0700] “POST /options.php > HTTP/1.1” 200 35 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – – > [16/May/2018:09:40:20 -0700] “POST /options.php HTTP/1.1” 200 17 “-” > "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” > > with either 35 or 17 after the 200 response code > > Then it switches to this: > > 193.150.14.77 – – [17/May/2018:10:29:44 -0700] “POST /options.php > HTTP/1.1” 200 73 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 46.4.99.77 – – > [17/May/2018:10:29:51 -0700] “GET /vZnFeiw1/?s HTTP/1.1” 200 2 “-” > "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” > > so it’s no longer using /Invoice-Ccorrections-for… but /vZnFeiw1 > > NOTE: each of these folders has two files in it: index.php and web.config, > which are oddly encoded scripts that were unreadable. > > Then it switches to this folder: > > 65.19.178.162 – – [21/May/2018:09:39:19 -0700] “POST /options.php > HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 94.176.2.155 – – > [21/May/2018:09:39:31 -0700] “GET /ups.com/WebTracking/GR-198010007/?s > HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” > > Then we get some interesting stuff where GETs and POSTs are replaced with > things I’ve never seen before: > > 34.239.146.197 – – [22/May/2018:01:30:20 -0700] “OPTIONS / > ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 136704 “-” “Microsoft > Office Protocol Discovery” 34.239.146.197 – – [22/May/2018:01:30:21 -0700] > “HEAD /ups.com/WebTracking/GR-198010007/ HTTP/1.1” 200 – “-” “Microsoft > Office Existence Discovery” 34.239.146.197 – – [22/May/2018:01:30:25 -0700] > “OPTIONS /ups.com/WebTracking HTTP/1.1” 301 246 “-” > “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “OPTIONS /ups.com/WebTracking/ HTTP/1.1” 200 > – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking HTTP/1.1” 301 > 246 “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com/WebTracking/ HTTP/1.1” > 404 – “-” “Microsoft-WebDAV-MiniRedir/6.1.7601” 34.239.146.197 – – > [22/May/2018:01:30:25 -0700] “PROPFIND /ups.com HTTP/1.1” 404 – “-” > "Microsoft-WebDAV-MiniRedir/6.1.7601” > > Then it switches to this folder: > > 193.150.14.77 – – [23/May/2018:22:41:09 -0700] “POST /options.php > HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 198.199.88.162 – – > [23/May/2018:22:41:18 -0700] “GET /Rechnungsanschrift/Rechnung-scan/?s > HTTP/1.1” 200 2 “-” "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” > > And at this point I started deleting things: > > 46.4.99.77 – – [24/May/2018:17:23:12 -0700] “POST /options.php HTTP/1.1” > 200 17 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – > [24/May/2018:17:27:49 -0700] “POST /options.php HTTP/1.1” 404 – “-” > “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:52 > -0700] “POST /assets/css/edit.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows > NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 > Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:58 -0700] “POST > /assets/images/functions.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT > 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 > Safari/537.36” 65.19.178.162 – – [24/May/2018:17:27:59 -0700] “POST > /assets/common.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” > 65.19.178.162 – – [24/May/2018:17:28:00 -0700] “POST /css/options.php > HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – > [24/May/2018:17:28:01 -0700] “POST /images/config.php HTTP/1.1” 404 – “-” > “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/41.0.2228.0 Safari/537.36” 65.19.178.162 – – [24/May/2018:17:28:01 > -0700] “POST /js/image.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT > 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 > Safari/537.36” 185.220.70.236 – – [24/May/2018:17:31:17 -0700] “GET > /Rechnungsanschrift/Rechnung-scan/ HTTP/1.1” 404 – “-” “Mozilla/4.0 > (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR > 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC > 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)” 208.80.194.32 – – > [24/May/2018:17:32:28 -0700] “GET /vZnFeiw1/ HTTP/1.0” 404 – “-” > “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) > Gecko/20110614 Firefox/3.6.18” 193.226.177.40 – – [24/May/2018:17:54:38 > -0700] “GET /ups.com/webtracking/gr-198010007 HTTP/1.1” 404 – “-” > "Mozilla/4.0” > > Can you hear it squealing like the Wicked Witch of the East as I started > pulling the legs off of this bot net or whatever it was? > > Looking over the entire log, it’s pretty clear that the /options.php file > was acting as some kind of a control hub, directing traffic and setting up > additional folders with scripts that were then accessed by others around > the world. > > I wish I could see the data that was GETted and POSTed. > > Does this activity look familiar to anybody? > > -David Schwartz > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings:http://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss