Author Topic: Uploading backdor in 287  (Read 2391 times)

0 Members and 1 Guest are viewing this topic.

Offline enigmaspb

  • Occasional poster
  • *
  • Posts: 2
    • View Profile
Uploading backdor in 287
« on: March 27, 2015, 11:02:32 AM »
In log i see this

Code: [Select]
2:40:24 42.51.156.54:64512 Requested GET /?search==2:42:45 42.51.156.54:51296 Requested GET /?search==3:02:33 41.203.214.158:53771 Requested GET /

In hfs catalog found 2 files 1.exe and x.vbs - this script install backdoor


Offline bmartino1

  • Tireless poster
  • ****
  • Posts: 870
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
Re: Uploading backdor in 287
« Reply #1 on: March 27, 2015, 03:33:22 PM »
soame post on russian side:
http://www.rejetto.com/forum/pk/otk-taok-ekoa-e-287/?topicseen

quote code(what i asume you see in your log...) you posted:
------------
2:40:24 42.51.156.54:64512
Requested GET /?search==2:42:45 42.51.156.54:51296
Requested GET /?search==3:02:33 41.203.214.158:53771 Requested GET /
---------

Is a standard search info from ip address: 42.51.156.54
...

Some one was probably snooping your server looking for exe and or vbs files... unknown if you were serving any...

Quote:
In hfs catalog found 2 files 1.exe and x.vbs - this script install backdoor....

You haven't posted info on how/why, so i'm reluctant to believe it is a "backdoor"...

Need more info / if you don't know the ip or don't want it, then ban it...
-----------
(Quote form russian side:)-- google translate:
the catalog is filled with hfs x.vbs and 1.exe and run , eventually installed virus ( backdoor )

While just made empty files with these names and put a flag read-only.
-----------------------------------------------------

Okay, need log file and possible rejeto to take a look into it.

It might be on the line of a "public upload" (to solve, no free uplad - user sign in) hack:
http://www.ehow.com/how_8692274_run-exe-vbscript.html

You upload a vbs script using html and vbs code to run exe files.. the exe file is uploaded and called via the vbs script...
you be surprised what you can do in the web console(debug-ing):
http://www.wiseowl.co.uk/blog/s393/scrape-website-html.htm
« Last Edit: March 27, 2015, 03:41:30 PM by bmartino1 »
I'm only trying to help i mean no offense.
thank you for your time and patience,
Bmartino1

Offline bmartino1

  • Tireless poster
  • ****
  • Posts: 870
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
Re: Uploading backdor in 287
« Reply #2 on: March 27, 2015, 03:58:10 PM »
first, i didn't hack into you site, as i don't know you IP, or dns name.. DOn't want to...

Here is how i would "recreate" the attack..

I would go about it a different way though:
http://www.htmlgoodies.com/beyond/reference/article.php/3472841

i would create a HTA, and find your public upload folder

upload 3 small files...

the HTA(that can contains the VBS script)
and the "virus" exe, most lilkey a trojan to control the machine...

Then because its http, i would open my hta i the browser, click the button which would run the exe uploaded...

So, my recommendation at this point are:

ban the ip that did the attack
put usernames and passwords on folders that have upload ability
Post the log of the full attack to see if it is a HFS code problem...
I'm only trying to help i mean no offense.
thank you for your time and patience,
Bmartino1

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12949
    • View Profile
Re: Uploading backdor in 287
« Reply #3 on: March 29, 2015, 11:42:00 AM »
guys, there's nothing to discuss here!
#287 is 2 years old and several SECURITY UPDATES have been published since then.
We KNOW it can be hacked, it's nothing new.
Solution: you just have to allow the automatic updates.

Not only HFS, but any server needs to stay up to date to keep be secure.