A specific website is keep getting infected files.

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Oct 24, 2017.

  1. pawan

    pawan Member HowtoForge Supporter

    Though it is not related to ISPCONFIG issue, but I need some help in addressing this issue.
    In one particular Joomla website, which I have scanned thoroughly cleaned all the suspicious code and files. disabled ftp. restricted back-end login to just my ip. Updated Joomla to latest version. set the file folder permission as 755 644.
    but every now and then some new suspicious files are seen in some folder or the other.
    for example the file name - qneizknb.php
    Now my question is where and which script is able to create these files. How can I plug this exploit.
    The example codes are like this:
    Code:
    <?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['pf64dc'] = "\x39\x67\x5c\x5b\x3c\x25\x28\x5a\x32\x46\x60\x33\x5d\x69\x7b\x61\x38\x78\x3a\x42\x66\x2d\x65\x27\x77\x37\x5
    2\x2f\x31\x56\x7d\x30\x50\x20\x72\x3b\x43\x4a\x2e\x57\x6b\x6d\x68\x3e\x58\x53\x59\x62\x4c\x71\x7e\x21\x6f\x70\x4d\xd\x5e\x6c\x26\x2c\x48\x51\x29\x74\x22\x5f\
    x79\x41\x6e\x4e\x24\x34\x44\x73\x63\x3f\xa\x64\x47\x55\x4b\x36\x4f\x9\x76\x3d\x54\x7a\x2b\x23\x35\x6a\x75\x2a\x7c\x45\x40\x49";
     
    Last edited: Oct 24, 2017
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Check at which exact time the file was created and then take a look at the access.log of the site, search especially for unusual POST requests. Another option can be that one of the prior hacks placed a cronjob on the system in the crontab of the web user of that site. Check that with:

    crontab -u webXX -l

    webxx must be the web username of the site, e.g. web5

    When your site uses some joomla extensions, then the code problem can be in an extension and not the joomla core.
     
  3. pawan

    pawan Member HowtoForge Supporter

    You are absolutely right Till, The logs shows some post entries which looks apparently suspicious.
    The example like this:
    Code:
    74.220.215.249 - - [24/Oct/2017:00:11:12 +0530] "POST /media/jw_allvideos/wdnsywke.php HTTP/1.0" 200 261 "http://odishaivf.com/media/jw_allvideos/wdnsywke.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:48.0) Gecko/20100101 Firefox/48.0"
    
    198.71.239.31 - - [24/Oct/2017:00:41:48 +0530] "POST /plugins/fabrik_element/textarea/wdqlrjtt.php HTTP/1.0" 404 1469 "http://odishaivf.com/plugins/fabrik_element/textarea/wdqlrjtt.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36"
    
    184.168.152.107 - - [24/Oct/2017:00:41:49 +0530] "POST /libraries/phpass/PasswordHash.php HTTP/1.0" 200 170 "http://odishaivf.com/libraries/phpass/PasswordHash.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
    
    78.110.50.150 - - [24/Oct/2017:00:41:50 +0530] "POST /modules/mod_jacontentslider/tmpl/knyplwwt.php HTTP/1.0" 404 1469 "http://odishaivf.com/modules/mod_jacontentslider/tmpl/knyplwwt.php" "Mozilla/5.0 (iPad; CPU OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"
    
    103.69.130.48 - - [24/Oct/2017:00:41:53 +0530] "POST /components/com_weblinks/views/categories/pwxiuzol.php HTTP/1.0" 404 1469 "http://odishaivf.com/components/com_weblinks/views/categories/pwxiuzol.php" "Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G935F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
    Now these involves from differeent IPs, blocking IP alone cannot solve the problem. what other option do I have to eliminate the issue?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess these are malware files as well, did you check their content? The names and their locations look suspicious to me.

    It might be that you just missed some files to clean the site and through the missed file, they get in again. Just in case you used ISPProtect to scan it, then please submit the samples of the not recognized files so we can add them to our database.

    One way to protect the site is to use mod_security or its nginx counterpart. Personally, I won't enable these modules server wide, instead, I would install them, disable them server wide and enable them just for the affected site, as these tools might require some fine tuning and whitelisting of rules for each site as they tend to block too much.

    and you checked the crontab?
     
  5. pawan

    pawan Member HowtoForge Supporter

    It looks like I have successfully fixed the website. Still there are "POST" attempts in the log but all of them what I observed either return 404 or 403. just for a confirm I am posting the log here.
    Code:
    182.50.132.109 - - [26/Oct/2017:12:15:51 +0530] "POST /templates/zo2_based/html/com_k2/biahhkvx.php HTTP/1.0" 404 1867 "http://lions322c2.org/templates/zo2_b
    ased/html/com_k2/biahhkvx.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
    
    134.213.213.228 - - [26/Oct/2017:12:15:53 +0530] "POST /components/com_content/views/fcgxastb.php HTTP/1.0" 404 1867 "http://lions322c2.org/components/com_co
    ntent/views/fcgxastb.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
    
    198.199.112.60 - - [26/Oct/2017:12:15:55 +0530] "POST /templates/zo2_based/html/com_k2/biahhkvx.php HTTP/1.1" 404 1194 "http://lions322c2.org/templates/zo2_b
    ased/html/com_k2/biahhkvx.php" "Mozilla/5.0 (iPad; CPU OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.
    1"
    
    107.170.27.110 - - [26/Oct/2017:12:15:57 +0530] "POST /components/com_content/views/fcgxastb.php HTTP/1.1" 404 1194 "http://lions322c2.org/components/com_con
    tent/views/fcgxastb.php" "Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G935F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51
    .0.2704.106 Mobile Safari/537.36"
    
    198.71.234.36 - - [26/Oct/2017:12:16:00 +0530] "POST /templates/zo2_based/html/com_k2/biahhkvx.php HTTP/1.0" 404 1867 "http://lions322c2.org/templates/zo2_ba
    sed/html/com_k2/biahhkvx.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
    
    187.17.106.51 - - [26/Oct/2017:12:16:03 +0530] "POST /components/com_content/views/fcgxastb.php HTTP/1.0" 404 1867 "http://lions322c2.org/components/com_cont
    ent/views/fcgxastb.php" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
    
    ===================
    
    218.244.138.87 - - [27/Oct/2017:02:03:22 +0530] "POST /administrator/modules/mod_toolbar/tmpl/nhpbdfkx.php HTTP/1.0" 403 2065 "http://odishaivf.com/administrator/modules/mod_toolbar/tmpl/nhpbdfkx.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
    
    194.28.172.227 - - [27/Oct/2017:02:03:19 +0530] "POST /plugins/fabrik_validationrule/specialchars/htwkivab.php HTTP/1.0" 404 1469 "http://odishaivf.com/plugins/fabrik_validationrule/specialchars/htwkivab.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
    
    202.71.103.202 - - [27/Oct/2017:02:03:16 +0530] "POST /plugins/fabrik_visualization/fusionchart/models/iohcrhwq.php HTTP/1.0" 404 1469 "http://odishaivf.com/plugins/fabrik_visualization/fusionchart/models/iohcrhwq.php" "Mozilla/5.0 (iPad; CPU OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1"
    
    198.71.228.72 - - [27/Oct/2017:02:03:14 +0530] "POST /administrator/components/com_messages/helpers/biwppoqv.php HTTP/1.0" 403 2065 "http://odishaivf.com/administrator/components/com_messages/helpers/biwppoqv.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
    
    198.56.144.123 - - [27/Oct/2017:02:03:10 +0530] "POST /libraries/vendor/symfony/polyfill-php56/qneizknb.php HTTP/1.0" 403 2065 "http://odishaivf.com/libraries/vendor/symfony/polyfill-php56/qneizknb.php" "Mozilla/5.0 (Windows NT 6.1; rv:54.0) Gecko/20100101 Firefox/54.0"
    
    173.201.196.10 - - [27/Oct/2017:01:09:18 +0530] "POST /libraries/src/Updater/vguistrb.php HTTP/1.0" 404 1469 "http://sanjivanitesttubebaby.com/libraries/src/Updater/vguistrb.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
    
    45.124.84.9 - - [27/Oct/2017:01:09:17 +0530] "POST /plugins/fabrik_visualization/fusionchart/language/jxtezseo.php HTTP/1.0" 404 1469 "http://sanjivanitesttubebaby.com/plugins/fabrik_visualization/fusionchart/language/jxtezseo.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
    
    68.66.241.242 - - [27/Oct/2017:01:09:13 +0530] "POST /libraries/src/Updater/vguistrb.php HTTP/1.1" 404 1546 "http://sanjivanitesttubebaby.com/libraries/src/Updater/vguistrb.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"
    
    88.198.177.200 - - [27/Oct/2017:01:09:11 +0530] "POST /plugins/fabrik_visualization/fusionchart/language/jxtezseo.php HTTP/1.1" 404 1546 "http://sanjivanitesttubebaby.com/plugins/fabrik_visualization/fusionchart/language/jxtezseo.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"
    
    178.210.90.90 - - [27/Oct/2017:01:09:10 +0530] "POST /libraries/src/Updater/vguistrb.php HTTP/1.0" 404 1469 "http://sanjivanitesttubebaby.com/libraries/src/Updater/vguistrb.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
    
    125.253.112.148 - - [27/Oct/2017:00:22:26 +0530] "POST /libraries/src/Updater/vguistrb.php HTTP/1.0" 404 1469 "http://sanjivanitesttubebaby.com/libraries/src/Updater/vguistrb.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
    
    178.210.90.90 - - [27/Oct/2017:00:22:18 +0530] "POST /language/overrides/iuldcbxk.php HTTP/1.0" 404 1469 "http://sanjivanitesttubebaby.com/language/overrides/iuldcbxk.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1"
    
    45.40.165.29 - - [27/Oct/2017:00:22:15 +0530] "POST /plugins/fabrik_visualization/fusion_gantt_chart/language/lpvdbyir.php HTTP/1.0" 404 1469 "http://sanjivanitesttubebaby.com/plugins/fabrik_visualization/fusion_gantt_chart/language/lpvdbyir.php" "Mozilla/5.0 (Windows NT 6.1; rv:54.0) Gecko/20100101 Firefox/54.0"
    
    186.202.126.233 - - [27/Oct/2017:01:09:09 +0530] "POST /plugins/fabrik_visualization/fusionchart/language/jxtezseo.php HTTP/1.0" 404 1469 "http://sanjivanitesttubebaby.com/plugins/fabrik_visualization/fusionchart/language/jxtezseo.php" "Mozilla/5.0 (iPad; CPU OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    That looks fine so far. They are still attempring to connect to the Malware that you removed and this should stop in the next days.
     

Share This Page