Author Topic: Non-stop hacks (Read 4609 times)

Spacedust · « **on:** 2015-09-14, 10:12:13 »

Something is putting encoded files and changing my PHP scripts on one customer.

Permissions are fine, all software up to date, and it happens even on my self-made scripts.

Then they are being executed like this:

Quote

217.16.10.55 - - [14/Sep/2015:09:37:10 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
37.140.192.51 - - [14/Sep/2015:09:38:41 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
178.62.244.117 - - [14/Sep/2015:09:43:22 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
173.201.196.144 - - [14/Sep/2015:09:45:13 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
201.49.15.117 - - [14/Sep/2015:09:45:41 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
69.195.124.83 - - [14/Sep/2015:09:48:02 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
107.182.142.195 - - [14/Sep/2015:09:50:23 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
188.120.239.76 - - [14/Sep/2015:09:53:19 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
205.144.171.38 - - [14/Sep/2015:09:55:01 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
173.201.196.31 - - [14/Sep/2015:09:57:20 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
50.62.176.167 - - [14/Sep/2015:09:59:44 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
91.221.34.10 - - [14/Sep/2015:10:01:11 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
97.74.144.196 - - [14/Sep/2015:10:02:02 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
72.167.232.155 - - [14/Sep/2015:10:04:21 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
68.178.254.121 - - [14/Sep/2015:10:06:43 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
50.63.196.147 - - [14/Sep/2015:10:09:01 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
198.71.227.36 - - [14/Sep/2015:10:13:19 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
77.65.80.246 - - [14/Sep/2015:10:13:56 +0200] "POST /panel/index.php?akcja=loguj HTTP/1.0" 200 565 "http://plotkara.com.pl/panel/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
184.168.27.177 - - [14/Sep/2015:10:15:40 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
97.74.24.182 - - [14/Sep/2015:10:17:13 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
163.178.107.196 - - [14/Sep/2015:10:18:07 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"

MRatWork · « **Reply #1 on:** 2015-09-14, 10:34:42 »

Try read http://php.net/manual/en/security.cgi-bin.attacks.php

Spacedust · « **Reply #2 on:** 2015-09-14, 11:13:02 »

I've removed this folder. We will see if it helps.

dkstiler · « **Reply #3 on:** 2015-09-14, 22:57:57 »

Well mustafa could be right i have faces CGI-bin attacks on my previous server !! they only solution i came was to block access to everyone besides only at local host !! trough the web-server configuration!!

MRatWork · « **Reply #4 on:** 2015-09-15, 03:56:34 »

Why not using disable cgi in 'limit' for certain client?.

Spacedust · « **Reply #5 on:** 2015-09-17, 00:21:58 »

Another hack (not FTP hack):

Quote

184.168.200.75 - - [16/Sep/2015:23:22:49 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86 _64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
5.101.156.80 - - [16/Sep/2015:23:25:03 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_6 4; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
97.74.144.84 - - [16/Sep/2015:23:27:29 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i6 86; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
72.167.190.33 - - [16/Sep/2015:23:32:10 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
184.168.200.98 - - [16/Sep/2015:23:33:12 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
109.120.191.253 - - [16/Sep/2015:23:34:33 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
185.33.60.178 - - [16/Sep/2015:23:36:48 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
50.62.161.179 - - [16/Sep/2015:23:39:08 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
50.62.177.224 - - [16/Sep/2015:23:41:05 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
198.71.228.42 - - [16/Sep/2015:23:41:28 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
50.62.177.31 - - [16/Sep/2015:23:43:50 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Lin ux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
95.173.172.164 - - [16/Sep/2015:23:46:47 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86 _64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
69.195.124.196 - - [16/Sep/2015:23:48:28 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86 _64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
184.168.46.4 - - [16/Sep/2015:23:49:09 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_6 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
119.59.120.8 - - [16/Sep/2015:23:51:06 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i6 86; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
184.168.27.28 - - [16/Sep/2015:23:53:09 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
97.74.144.122 - - [16/Sep/2015:23:55:28 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
37.9.169.24 - - [16/Sep/2015:23:57:09 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64 ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
198.71.228.23 - - [16/Sep/2015:23:57:47 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
112.213.95.177 - - [17/Sep/2015:00:00:07 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86 _64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
173.201.196.134 - - [17/Sep/2015:00:04:49 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
184.168.66.81 - - [17/Sep/2015:00:05:15 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Li nux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
188.127.239.161 - - [17/Sep/2015:00:07:22 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
93.125.99.57 - - [17/Sep/2015:00:09:29 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_6 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
212.232.27.174 - - [17/Sep/2015:00:13:11 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
46.32.233.97 - - [17/Sep/2015:00:14:16 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_6 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
103.28.37.99 - - [17/Sep/2015:00:16:37 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_6 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
162.242.241.42 - - [17/Sep/2015:00:18:59 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86 _64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
93.186.115.37 - - [17/Sep/2015:00:21:17 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_ 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
50.63.197.96 - - [17/Sep/2015:00:23:21 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; Ubuntu; L inux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
91.81.41.90 - - [17/Sep/2015:00:23:44 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; Ubuntu; Li nux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
75.126.126.215 - - [17/Sep/2015:00:25:57 +0200] "POST /obrazki/20150903/utf43.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; U; Linu x i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"

Spacedust · « **Reply #6 on:** 2015-09-19, 11:49:08 »

Example code:

Author Topic: Non-stop hacks (Read 4609 times)

Spacedust

Non-stop hacks

MRatWork

Re: Non-stop hacks

Spacedust

Re: Non-stop hacks

dkstiler

Re: Non-stop hacks

MRatWork

Re: Non-stop hacks

Spacedust

Re: Non-stop hacks

Spacedust

Re: Non-stop hacks