Author Topic: Many IPs trying to exectute PHP trojan (Read 3079 times)

Spacedust · « **on:** 2015-06-04, 13:36:02 »

It must be part of botnet - I've removed contents of this file - if we remove it it will be reuploaded with obfuscated massive SPAM sender code:

Quote

91.226.116.42 - - [04/Jun/2015:10:02:09 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
2a01:488:66:1000:53a9:1355:0:1 - - [04/Jun/2015:10:07:41 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
61.126.26.246 - - [04/Jun/2015:10:08:42 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
211.5.174.114 - - [04/Jun/2015:10:27:17 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
129.121.177.162 - - [04/Jun/2015:10:31:27 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
67.214.160.180 - - [04/Jun/2015:10:40:25 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
50.63.185.230 - - [04/Jun/2015:10:48:57 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
2a02:2308::216:3eff:fedc:88ec - - [04/Jun/2015:11:10:34 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
80.91.160.11 - - [04/Jun/2015:11:13:40 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
95.211.42.193 - - [04/Jun/2015:12:16:45 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.155 - - [04/Jun/2015:12:23:31 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
91.226.116.42 - - [04/Jun/2015:12:24:47 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
2001:41d0:52:500::85d - - [04/Jun/2015:12:29:52 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
2a01:7e00::f03c:91ff:fedf:8fa8 - - [04/Jun/2015:12:43:17 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
94.23.214.103 - - [04/Jun/2015:12:49:14 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
2a01:4f8:a0:114a::2 - - [04/Jun/2015:12:50:34 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.185.4.155 - - [04/Jun/2015:13:10:53 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
2001:4800:7811:513:be76:4eff:fe04:9bd7 - - [04/Jun/2015:13:11:13 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
37.157.194.57 - - [04/Jun/2015:13:14:32 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
5.101.157.125 - - [04/Jun/2015:13:16:43 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
85.214.108.120 - - [04/Jun/2015:13:19:47 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
176.9.139.10 - - [04/Jun/2015:13:23:29 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
85.158.181.28 - - [04/Jun/2015:13:31:18 +0200] "POST /news/db.php HTTP/1.0" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

How to diagnose how this file is being uploaded ? It's not being uploaded via FTP - so it must be some Apache or PHP script backdoor.

MRatWork · « **Reply #1 on:** 2015-06-04, 14:25:43 »

Investing with 'cat /var/log/maillog|grep PWD' to find out where sendmail come from.

Spacedust · « **Reply #2 on:** 2015-06-04, 22:36:23 »

Quote from: MRatWork on 2015-06-04, 14:25:43

Investing with 'cat /var/log/maillog|grep PWD' to find out where sendmail come from.

I know where is it and how to remove it, but the trouble is it always come back even if I change all passwords.

MRatWork · « **Reply #3 on:** 2015-06-04, 22:41:09 »

Is still problem after add '/home/<user>/<domain>' path in '/var/qmail/control/badsendmailfrom'?

Spacedust · « **Reply #4 on:** 2015-06-05, 00:20:22 »

Quote from: MRatWork on 2015-06-04, 22:41:09

Is still problem after add '/home/<user>/<domain>' path in '/var/qmail/control/badsendmailfrom'?

I mean someone is uploading this file after I remove it and it's not being made via FTP just via web. Must be some bug in customer script, but I cannot find anything wrong with it.

So far I did echo > db.php which cleared contents of this file and these dumb hackers thinks it's still there but it's blank

Spacedust · « **Reply #5 on:** 2015-06-07, 14:24:52 »

I had to suspend this domain

Author Topic: Many IPs trying to exectute PHP trojan (Read 3079 times)

Spacedust

Many IPs trying to exectute PHP trojan

MRatWork

Re: Many IPs trying to exectute PHP trojan

Spacedust

Re: Many IPs trying to exectute PHP trojan

MRatWork

Re: Many IPs trying to exectute PHP trojan

Spacedust

Re: Many IPs trying to exectute PHP trojan

Spacedust

Re: Many IPs trying to exectute PHP trojan