server compromise (cPanel)

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: David Schwartz
Date:  
To: Main PLUG discussion list
Subject: server compromise (cPanel)
I got a notice from a cPanel hosting site that one of my accounts was nearing it’s monthly bandwidth limit.

That got my attention because this account has nothing going on other than email, and there’s no reason it should be anywhere close to its monthly bandwidth limits.

In particular, there were no scripts of any kind installed other than index.php that serves as a simple welcome page template.

I dug around and discovered the following entry in my FTP access log:

Mon May 14 04:17:43 2018 1 186.103.199.252 147274 /home/xxxxxx/public_html/wp_count.php b _ i r xxxxxx ftp 1 * c

About an hour later, I found this in my HTTP log:

85.214.51.131 - - [14/May/2018:05:29:20 -0700] "POST /wp_count.php HTTP/1.1" 200 827 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”

Note that I have not used FTP on this account at all in ages. There are no FTP users defined other than two that cPanel sets up and I cannot disable or remove them.

Can anybody tell me what that FTP entry says it's doing?


What it appears happened is that it injected a script of some kind that ran and then created several other folders with different names in my public_html folder.

The hosting folks keep saying it was probably MY scripts that were exploited, but i had no scripts installed.

The names that were given made it LOOK like I had some scripts installed, though. Stuff you wouldn’t think twice about seeing in a web folder.


Here are some more log entries that resulted from this breech:

85.214.51.131 - - [15/May/2018:09:53:05 -0700] "POST /options.php HTTP/1.1" 200 115 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
64.253.105.72 - - [15/May/2018:09:53:13 -0700] "GET /Invoice-Corrections-for-23/86/?s HTTP/1.1" 200 2 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”
… a ton of accesses to this path along with POSTs to /options.php

every once in a while a second URL would show up (referrer?) right before the browser type entry, and someimes it would be to this folder on my site.

tons and tons of entries like this:

216.177.137.55 - - [16/May/2018:09:35:57 -0700] "POST /options.php HTTP/1.1" 200 35 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
198.199.88.162 - - [16/May/2018:09:40:20 -0700] "POST /options.php HTTP/1.1" 200 17 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”

with either 35 or 17 after the 200 response code


Then it switches to this:

193.150.14.77 - - [17/May/2018:10:29:44 -0700] "POST /options.php HTTP/1.1" 200 73 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
46.4.99.77 - - [17/May/2018:10:29:51 -0700] "GET /vZnFeiw1/?s HTTP/1.1" 200 2 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”

so it’s no longer using /Invoice-Ccorrections-for… but /vZnFeiw1

NOTE: each of these folders has two files in it: index.php and web.config, which are oddly encoded scripts that were unreadable.

Then it switches to this folder:

65.19.178.162 - - [21/May/2018:09:39:19 -0700] "POST /options.php HTTP/1.1" 200 121 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
94.176.2.155 - - [21/May/2018:09:39:31 -0700] "GET /ups.com/WebTracking/GR-198010007/?s HTTP/1.1" 200 2 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”

Then we get some interesting stuff where GETs and POSTs are replaced with things I’ve never seen before:

34.239.146.197 - - [22/May/2018:01:30:20 -0700] "OPTIONS /ups.com/WebTracking/GR-198010007/ HTTP/1.1" 200 136704 "-" "Microsoft Office Protocol Discovery"
34.239.146.197 - - [22/May/2018:01:30:21 -0700] "HEAD /ups.com/WebTracking/GR-198010007/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
34.239.146.197 - - [22/May/2018:01:30:25 -0700] "OPTIONS /ups.com/WebTracking HTTP/1.1" 301 246 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
34.239.146.197 - - [22/May/2018:01:30:25 -0700] "OPTIONS /ups.com/WebTracking/ HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
34.239.146.197 - - [22/May/2018:01:30:25 -0700] "PROPFIND /ups.com/WebTracking HTTP/1.1" 301 246 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
34.239.146.197 - - [22/May/2018:01:30:25 -0700] "PROPFIND /ups.com/WebTracking/ HTTP/1.1" 404 - "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
34.239.146.197 - - [22/May/2018:01:30:25 -0700] "PROPFIND /ups.com HTTP/1.1" 404 - "-" "Microsoft-WebDAV-MiniRedir/6.1.7601”

Then it switches to this folder:

193.150.14.77 - - [23/May/2018:22:41:09 -0700] "POST /options.php HTTP/1.1" 200 121 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
198.199.88.162 - - [23/May/2018:22:41:18 -0700] "GET /Rechnungsanschrift/Rechnung-scan/?s HTTP/1.1" 200 2 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36”

And at this point I started deleting things:

46.4.99.77 - - [24/May/2018:17:23:12 -0700] "POST /options.php HTTP/1.1" 200 17 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
65.19.178.162 - - [24/May/2018:17:27:49 -0700] "POST /options.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
65.19.178.162 - - [24/May/2018:17:27:52 -0700] "POST /assets/css/edit.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
65.19.178.162 - - [24/May/2018:17:27:58 -0700] "POST /assets/images/functions.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
65.19.178.162 - - [24/May/2018:17:27:59 -0700] "POST /assets/common.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
65.19.178.162 - - [24/May/2018:17:28:00 -0700] "POST /css/options.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
65.19.178.162 - - [24/May/2018:17:28:01 -0700] "POST /images/config.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
65.19.178.162 - - [24/May/2018:17:28:01 -0700] "POST /js/image.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
185.220.70.236 - - [24/May/2018:17:31:17 -0700] "GET /Rechnungsanschrift/Rechnung-scan/ HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Zoom 3.6.0)"
208.80.194.32 - - [24/May/2018:17:32:28 -0700] "GET /vZnFeiw1/ HTTP/1.0" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"
193.226.177.40 - - [24/May/2018:17:54:38 -0700] "GET /ups.com/webtracking/gr-198010007 HTTP/1.1" 404 - "-" "Mozilla/4.0”

Can you hear it squealing like the Wicked Witch of the East as I started pulling the legs off of this bot net or whatever it was?

Looking over the entire log, it’s pretty clear that the /options.php file was acting as some kind of a control hub, directing traffic and setting up additional folders with scripts that were then accessed by others around the world.

I wish I could see the data that was GETted and POSTed.

Does this activity look familiar to anybody?

-David Schwartz



---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss