File upload method
Hello,
I have CXS and it blocked a suspicious file -
I'd like to know how exactly this file got uploaded? - FTP disabled (globally) - SSH disabled /var/log/messages - nothing there Raw access log -
Any ideas? Thanks
Scan Status Fingerprint
Scan Time Sun Sep 19 20:48:59 2021
Scan Type Web
Original File /tmp/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97
Original File Size 621B
Original File Type FingerPrint
Original File Owner nobody/nobody (65534/65534)
Original File Perms -rw------- (0600)
Original File atime Sun Sep 19 20:48:59 2021
Original File ctime Sun Sep 19 20:48:59 2021
Original File mtime Sun Sep 19 20:48:59 2021
Original File md5sum b2abcadb37fdf9fb666f10c18a9d30ee
Original File Status Quarantined file (exists)
Quarantine File /home/quarantine/cxscgi/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97.1632055739_1
Web User nobody (65534)
Web Script Owner ()
Web Script File /home/xxxxxxxxx/public_html/billing/modules/vtemskitter
Web Script URL https://xxxxxxxxxxxxxxxxxxxxx//modules/vtemskitter/uploadimage.php
Web Remote IP 62.4.31.171
Web Remote Referrer
Scan Message Known exploit = [Fingerprint Match] [Hacker Sig Exploit [P1810]]I'd like to know how exactly this file got uploaded? - FTP disabled (globally) - SSH disabled /var/log/messages - nothing there Raw access log -
62.4.31.171 - - [19/Sep/2021:20:48:05 +0800] "GET //modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31838 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:07 +0800] "GET //modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31845 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:09 +0800] "GET //modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31843 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:10 +0800] "GET //modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31850 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:11 +0800] "GET //modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31839 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:13 +0800] "GET //modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31846 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:14 +0800] "POST //modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 31836 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:22 +0800] "POST //modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=XSam-XAdoo&data_type=image HTTP/1.1" 404 31804 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:29 +0800] "GET //modules/jmsslider/views/img/layers/xsam_xadoo_bot.php HTTP/1.1" 404 31821 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:40 +0800] "POST //modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 404 31818 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:52 +0800] "POST //modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 404 31826 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:54 +0800] "GET //modules/verticalmegamenus/images/temps/xsam_xadoo_bot.php HTTP/1.1" 404 31825 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:55 +0800] "POST //modules/fieldvmegamenu/ajax/upload.php HTTP/1.1" 404 31806 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:57 +0800] "GET //modules/fieldvmegamenu/uploads/xsam_xadoo_bot.php HTTP/1.1" 404 31817 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:59 +0800] "POST //modules/vtemskitter/uploadimage.php HTTP/1.1" 404 31803 "-" "python-requests/2.26.0"
Any ideas? Thanks
-
Hey there! Is the uploadimage.php file not normally a part of the software being used? If not, I'd be checking that site's software for plugins that could be vulnerable. It's also possible this happened through the cPanel >> File Manager tool if someone got the cPanel password for the account. 0 -
Hey there! Is the uploadimage.php file not normally a part of the software being used? If not, I'd be checking that site's software for plugins that could be vulnerable. It's also possible this happened through the cPanel >> File Manager tool if someone got the cPanel password for the account.
Hi thanks for the reply. No it's not a part of the script. I will reset my cpanel password.. what is the meaning of this "python-requests/2.26.0" any ideas?0 -
That portion of the request is the user agent, which likely indicates a bot of some sort. You can find more details on that specific user agent here: User agent string "python-requests/2.26.0" 0 -
I find this interesting... In CXS message it says the script used is: Web Script URL Status code is 404 so that file /modules/vtemskitter/uploadimage.php does not exist. How can the uploadimage.php script create a file in /tmp if uploadimage.php does not exist? Btw if you search for "vtemskitter vulnerability" you get some interesting results. 0 -
I find this interesting... In CXS message it says the script used is: Web Script URL Status code is 404 so that file /modules/vtemskitter/uploadimage.php does not exist. How can the uploadimage.php script create a file in /tmp if uploadimage.php does not exist? Btw if you search for "vtemskitter vulnerability" you get some interesting results.
Yea exactly.. i don't see any uploads etc but no idea how they're trying to upload this file..0 -
It may be worth looking into the vulnerability that @quietFinn mentioned as it's always possible that could be related to the odd behavior you're seeing. 0
Please sign in to leave a comment.
Comments
6 comments