File doesn't exist, yet the post request is getting 200 response

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Nov 11, 2017 at 9:26 AM.

  1. pawan

    pawan Member HowtoForge Supporter

    It appears like two of my website is badly effected by malicious code, getting rid of them has really become a challenge.

    here is a copy of the logs I have after cleaning the website:
    Code:
    [email protected]:/var/www/lions322c2.org/log# tail -n200 access.log | grep "POST"
    212.83.155.65 - - [11/Nov/2017:13:09:47 +0530] "POST /administrator/index.php HTTP/1.1" 403 1120 "http://lions322c2.org/administrator/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_39_86) AppleWebKit/532.80.28 (KHTML, like Gecko) Chrome/56.2.7973.1601 Safari/532.10 Edge/36.14228"
    5.9.31.30 - - [11/Nov/2017:13:29:14 +0530] "POST /gdotoq HTTP/1.1" 404 1193 "http://lions322c2.org/gdotoq" "Mozilla/5.0 (iPad; CPU OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1"
    5.9.31.30 - - [11/Nov/2017:13:29:15 +0530] "POST /ffsxhap HTTP/1.1" 200 389 "http://lions322c2.org/ffsxhap" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
    Now I have double checked the web root, no such file "ffsxhap" exist there.
    How should handle this, really ran out of idea?
     
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Are you using apache, then maybe there is a .htaccess in the web root.
     
  3. pawan

    pawan Member HowtoForge Supporter

    Hi Croydon, Yes I am using Apache and there is .htaccess in the web root.
     
  4. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    And what content is in there?
     
  5. pawan

    pawan Member HowtoForge Supporter

    The contents like this:
    Code:
    ##
    # @package        Joomla
    # @copyright    Copyright (C) 2005 - 2012 Open Source Matters. All rights reserved.
    # @license        GNU General Public License version 2 or later; see LICENSE.txt
    ##
    
    ##
    # READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
    #
    # The line just below this section: 'Options +FollowSymLinks' may cause problems
    # with some server configurations.  It is required for use of mod_rewrite, but may already
    # be set by your server administrator in a way that dissallows changing it in
    # your .htaccess file.  If using it causes your server to error out, comment it out (add # to
    # beginning of line), reload your site in your browser and test your sef url's.  If they work,
    # it has been set by your server administrator and you do not need it set here.
    ##
    
    ## Can be commented out if causes errors, see notes above.
    Options +FollowSymLinks
    
    ## Mod_rewrite in use.
    
    RewriteEngine On
    
    ## Begin - Rewrite rules to block out some common exploits.
    # If you experience problems on your site block out the operations listed below
    # This attempts to block the most common type of exploit `attempts` to Joomla!
    #
    # Block out any script trying to base64_encode data within the URL.
    RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
    # Block out any script that includes a <script> tag in URL.
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    # Block out any script trying to set a PHP GLOBALS variable via URL.
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    # Block out any script trying to modify a _REQUEST variable via URL.
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    # Return 403 Forbidden header and show the content of the root homepage
    RewriteRule .* index.php [F]
    #
    ## End - Rewrite rules to block out some common exploits.
    
    ## Begin - Custom redirects
    #
    # If you need to redirect some pages, or set a canonical non-www to
    # www redirect (or vice versa), place that code here. Ensure those
    # redirects use the correct RewriteRule syntax and the [R=301,L] flags.
    #
    ## End - Custom redirects
    
    ##
    # Uncomment following line if your webserver's URL
    # is not directly related to physical file paths.
    # Update Your Joomla! Directory (just / for root).
    ##
    
    # RewriteBase /
    
    ## Begin - Joomla! core SEF Section.
    #
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    #
    # If the requested path and file is not /index.php and the request
    # has not already been internally rewritten to the index.php script
    RewriteCond %{REQUEST_URI} !^/index\.php
    # and the request is for something within the component folder,
    # or for the site root, or for an extensionless URL, or the
    # requested URL ends with one of the listed extensions
    RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
    # and the requested path and file doesn't directly match a physical file
    RewriteCond %{REQUEST_FILENAME} !-f
    # and the requested path and file doesn't directly match a physical folder
    RewriteCond %{REQUEST_FILENAME} !-d
    # internally rewrite the request to the index.php script
    RewriteRule .* index.php [L]
    #
    ## End - Joomla! core SEF Section.
    # BEGIN Compress text files
    <ifModule mod_deflate.c>
      <filesMatch "\.(css|js|x?html?|php)$">
        SetOutputFilter DEFLATE
      </filesMatch>
    </ifModule>
    # END Compress text files
    
    # BEGIN Expire headers
      ExpiresActive On
      ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/pdf "access plus 1 month"
    ExpiresByType text/x-javascript "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType application/x-shockwave-flash "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresDefault "access plus 2 days"
    # END Expire headers
    
    
     
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    As you can see, there is a rewrite rule, that routes every request to files that don't exist to the index.php. Which code is sent then depends on Joomla.
     

Share This Page