Portal Home > Knowledgebase > Articles Database > Hacker uploading exploits on site in strange way


Hacker uploading exploits on site in strange way




Posted by www_webhost, 10-04-2012, 02:14 PM
Hello, There is a account on our server that we setup recently, its a blank account that just have a page index.html to display "website under construction" message, but then also some how hackers are managing to upload exploit to this account everyday and cxs exploit scanner quarantines them everyday. The file that is reported by cxs does not even exists. I am puzzled how they are able to upload such exploits. Alerts sent to me by CXS exploit scanner are as below - ################################################## Scanning web upload script file... Time : Thu Oct 4 22:44:10 2012 Web referer URL : Local IP : <> Web upload script user : nobody (99) Web upload script owner: () Web upload script path : /home/useraccname/public_html/admin Web upload script URL : http://www.userdomain-name.com/admin/categories.php/login.php?cPath=&action=new_product_preview Remote IP : 64.59.72.248 Deleted : No Quarantined : Yes [/quarantinefolder/nobody/20121004-224410-UG3D4myj18IAADxvHjcAAAAK-file-b1Q37H.1349370850_1] NOTE: This alert may be a ModSecurity false-positive as /home/useraccname/public_html/admin does not exist ----------- SCAN REPORT ----------- (/usr/sbin/cxs --smtp --options mMOLfSGchexdnwZDR --filemax 10000 --ignore /etc/cxs/cxs.ignore --sizemax 500000 --xtra /etc/cxs/cxs.xtra --summary --quarantine /quarantinefolder --mail root --logfile /var/log/cxs.log --quiet --timemax 30 --qoptions Mv --cgi --doptions Mv --virusscan --clamdsock /var/clamd --exploitscan /tmp/20121004-224410-UG3D4myj18IAADxvHjcAAAAK-file-b1Q37H) # Known exploit = [Fingerprint Match] [Perl Hidden Process Exploit [P0044]]: '/tmp/20121004-224410-UG3D4myj18IAADxvHjcAAAAK-file-b1Q37H' ################################################## The path mentioned - http://www.userdomain-name.com/admin[/url] /categories.php/login.php?cPath=&action=new_product_preview does not exists, even then hackers are using it and uploading the exploits. plz tell me how to fix this issue so hacker cannot upload such exploits on our server. Thanks Last edited by www_webhost; 10-04-2012 at 02:19 PM.

Posted by kevincheri, 10-04-2012, 02:24 PM
have you checked the domain access logs and see any POST requests?, also see if the domain user has left any files in /tmp

Posted by rapturetrumpet, 10-04-2012, 02:26 PM
I suggest, you look for a server administrator, in the offers section, and have them perform a security audit of your server. The hacker might have gotten in a back door, such as outdated software or a plugin that haven't been updated. They might have also rooted your server with a backdoor Trojan.

Posted by www_webhost, 10-04-2012, 02:34 PM
Here are the domlogs for this domain - 180.76.5.142 - - [04/Oct/2012:22:37:07 +0530] "GET /specials.php?osCsid=pphdh74gijg2kp4ud1715cgba2 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.231 - - [04/Oct/2012:22:37:12 +0530] "GET /product_info.php?cPath=5&products_id=122&osCsid=vao1cd27uemljeiaeueueoqlf6 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 86.18.220.212 - - [04/Oct/2012:22:39:07 +0530] "GET /index.php?cPath=1&osCsid=2aktgoaualqj413apal26it7h1 HTTP/1.1" 404 - "http://www.google.co.uk/url?sa=t&rct=j&q=khazana%20bharuch&source=web&cd=3&ved=0CC0QjBAwAg&url=http%3A%2F%2Fwww.user-domain-name.com%2Findex.php%3FcPath%3D1%26osCsid%3D2aktgoaualqj413apal26it7h1&ei=sMJtUPO2EOfZ0QXzpICQCg&usg=AFQjCNGMljXLe78ShbHNQcocnb40R97WCQ" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" 86.18.220.212 - - [04/Oct/2012:22:39:13 +0530] "GET /contact_us.php HTTP/1.1" 404 - "http://www.google.co.uk/url?sa=t&rct=j&q=khazana%20bharuch&source=web&cd=2&ved=0CCUQjBAwAQ&url=http%3A%2F%2Fwww.user-domain-name.com%2Fcontact_us.php&ei=sMJtUPO2EOfZ0QXzpICQCg&usg=AFQjCNFCeIKVCvVC7LhlDwDXficvggSHyA" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" 86.18.220.212 - - [04/Oct/2012:22:39:18 +0530] "GET /reviews.php?osCsid=0rsm22g966locgvs7u7o8p9oa0 HTTP/1.1" 404 - "http://www.google.co.uk/url?sa=t&rct=j&q=khazana%20bharuch&source=web&cd=5&ved=0CCkQjBAwBA&url=http%3A%2F%2Fwww.user-domain-name.com%2Freviews.php%3FosCsid%3D0rsm22g966locgvs7u7o8p9oa0&ei=sMJtUPO2EOfZ0QXzpICQCg&usg=AFQjCNHKwLA6NW8cA3AfcwDiZ_0HHlNiAg" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" 86.18.220.212 - - [04/Oct/2012:22:39:22 +0530] "GET /index.php?cPath=1_3&osCsid=ggj6engc0h20uroaa0l2ihn1d3 HTTP/1.1" 404 - "http://www.google.co.uk/url?sa=t&rct=j&q=khazana%20bharuch&source=web&cd=7&ved=0CDkQjBAwBg&url=http%3A%2F%2Fwww.user-domain-name.com%2Findex.php%3FcPath%3D1_3%26osCsid%3Dggj6engc0h20uroaa0l2ihn1d3&ei=sMJtUPO2EOfZ0QXzpICQCg&usg=AFQjCNGi_leiyLPQo07B8VEXJNmcPMvqKw" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" 86.18.220.212 - - [04/Oct/2012:22:39:27 +0530] "GET /index.php?cPath=2&osCsid=701d7bfe51662cd5f6f1aef7ea76349c HTTP/1.1" 404 - "http://www.google.co.uk/url?sa=t&rct=j&q=khazana%20bharuch&source=web&cd=4&ved=0CDUQjBAwAw&url=http%3A%2F%2Fwww.user-domain-name.com%2Findex.php%3FcPath%3D2%26osCsid%3D701d7bfe51662cd5f6f1aef7ea76349c&ei=sMJtUPO2EOfZ0QXzpICQCg&usg=AFQjCNEF4FWOPybEkb2YiGIQhwLxQb5vuQ" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" 64.59.72.248 - - [04/Oct/2012:22:40:28 +0530] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 64.59.72.248 - - [04/Oct/2012:22:41:02 +0530] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 81.111.56.17 - - [04/Oct/2012:22:41:31 +0530] "GET /ViewItem.php?ItemID=78 HTTP/1.1" 404 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_8) AppleWebKit/534.50.2 (KHTML, like Gecko) Version/5.0.6 Safari/533.22.3" 64.59.72.248 - - [04/Oct/2012:22:42:23 +0530] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 64.59.72.248 - - [04/Oct/2012:22:42:44 +0530] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 180.76.5.156 - - [04/Oct/2012:22:44:07 +0530] "GET /specials.php?osCsid=r03kh397pn1se1o6i8m5s2mf42 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 64.59.72.248 - - [04/Oct/2012:22:44:10 +0530] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 180.76.5.89 - - [04/Oct/2012:22:44:12 +0530] "GET /specials.php?osCsid=s54ui0kd932jo5duo81h3oqk14 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.175 - - [04/Oct/2012:22:44:17 +0530] "GET /product_info.php?products_id=101?osCsid=of78r7qbdulrink4vgspaoqrk6 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.113 - - [04/Oct/2012:22:44:23 +0530] "GET /account.php?osCsid=1qhfqou72vd397tclk46l6etd6 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.113 - - [04/Oct/2012:22:51:15 +0530] "GET /specials.php?osCsid=qdtpq22s1g39ui78ntjn46rsb6 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.98 - - [04/Oct/2012:22:51:23 +0530] "GET /account.php?osCsid=2dpktapf8nb1451hasisumkqq2 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.59 - - [04/Oct/2012:22:51:25 +0530] "GET /account.php?osCsid=8slvhvphq6d5adu9j44bisns64 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.185 - - [04/Oct/2012:22:51:31 +0530] "GET /account.php?osCsid=ad7r877qg0ri9bivj2f5dtsno4 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.66 - - [04/Oct/2012:22:58:28 +0530] "GET /account.php?osCsid=b2rcde2smavverljep5gvtm2b0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.140 - - [04/Oct/2012:22:58:33 +0530] "GET /account.php?osCsid=c3ado0c03b53h25lrao389rul6 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.154 - - [04/Oct/2012:22:58:39 +0530] "GET /account.php?osCsid=cl4csjo6hjgt36as7ifdrhfpv0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.103 - - [04/Oct/2012:22:58:46 +0530] "GET /product_info.php?products_id=102?osCsid=v3a3d1sv199gqr3ga5k3r0eqm7 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 115.242.84.242 - - [04/Oct/2012:23:04:59 +0530] "GET /admin/categories.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1" 115.242.84.242 - - [04/Oct/2012:23:04:59 +0530] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1" 115.242.84.242 - - [04/Oct/2012:23:05:09 +0530] "GET /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1" 115.242.84.242 - - [04/Oct/2012:23:05:22 +0530] "GET /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1" 115.242.84.242 - - [04/Oct/2012:23:05:30 +0530] "GET / HTTP/1.1" 200 795 "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1" 180.76.5.154 - - [04/Oct/2012:23:05:37 +0530] "GET /specials.php?osCsid=ujhk1q5fhefenp5mekcs4qfir7 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 115.242.84.242 - - [04/Oct/2012:23:05:38 +0530] "GET /admin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1" 180.76.6.223 - - [04/Oct/2012:23:05:43 +0530] "GET /account.php?osCsid=emfqribaugk49t5su80kkhg620 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.211 - - [04/Oct/2012:23:05:48 +0530] "GET /product_info.php?products_id=103&reviews_id=3&osCsid=g0ep264gq0mva7ve0e161r9n27 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.49 - - [04/Oct/2012:23:05:53 +0530] "GET /account.php?osCsid=foo52hbqdm2m79gidlvig761i2 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.213 - - [04/Oct/2012:23:12:27 +0530] "GET /images/indext.php?u=carpet-lexington-tx HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.50 - - [04/Oct/2012:23:12:51 +0530] "GET /account.php?osCsid=ho8f3jooc68lak1jgcf0nkjgh3 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.48 - - [04/Oct/2012:23:12:56 +0530] "GET /account.php?osCsid=km9epsimoi4e80m0utmgi5ebr3 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.212 - - [04/Oct/2012:23:13:01 +0530] "GET /account.php?osCsid=m45mn74186t2mc59u79ldk4314 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.36 - - [04/Oct/2012:23:13:06 +0530] "GET /account.php?osCsid=olppaft8rna7sa14jmjj453p54 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.195 - - [04/Oct/2012:23:19:59 +0530] "GET /conditions.php?osCsid=4of5shus77aue2dke2uf7n0226 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.232 - - [04/Oct/2012:23:20:05 +0530] "GET /advanced_search.php?osCsid=5ft2aqpljc0h5ol50okov96291 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.55 - - [04/Oct/2012:23:20:10 +0530] "GET /product_info.php?products_id=11?osCsid=lt0h55n0so83uf4rd0dcoctl46 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.63 - - [04/Oct/2012:23:20:15 +0530] "GET /advanced_search.php?osCsid=c3ado0c03b53h25lrao389rul6 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.52 - - [04/Oct/2012:23:26:30 +0530] "GET / HTTP/1.1" 200 795 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.65 - - [04/Oct/2012:23:26:38 +0530] "GET /specials.php?osCsid=opi1ctdlhkr68mj6qj9nppmkf0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 208.88.17.190 - - [04/Oct/2012:23:27:00 +0530] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 180.76.5.196 - - [04/Oct/2012:23:27:14 +0530] "GET /advanced_search.php?osCsid=lmji88qrfhrvgra4ja3ecensr3 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.190 - - [04/Oct/2012:23:27:19 +0530] "GET /advanced_search.php?osCsid=n2l8ffpm1s4p8qrj9d7uctk4q4 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.20 - - [04/Oct/2012:23:27:24 +0530] "GET /product_info.php?products_id=137?osCsid=6h8r8tc2polcmbf5gvfmnnka44 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.149 - - [04/Oct/2012:23:27:30 +0530] "GET /advanced_search.php?osCsid=nreopifsdcohp66ucv0p4qnq40 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.186 - - [04/Oct/2012:23:27:35 +0530] "GET /advanced_search.php?osCsid=q9pdaa39k8ci4m6u86snr9c8v4 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.157 - - [04/Oct/2012:23:34:24 +0530] "GET /conditions.php?osCsid=knvarthb4c56tc0c5agr041gv6 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.180 - - [04/Oct/2012:23:34:29 +0530] "GET /advanced_search.php?osCsid=s54ui0kd932jo5duo81h3oqk14 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.52 - - [04/Oct/2012:23:34:34 +0530] "GET /product_info.php?products_id=13?osCsid=nfk3cg92vvojreh91uq2i5dqj2 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.162 - - [04/Oct/2012:23:34:40 +0530] "GET /conditions.php?osCsid=2lutp4c30s41mb3spctff6l8m5 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 81.109.131.6 - - [04/Oct/2012:23:40:22 +0530] "GET / HTTP/1.1" 200 795 "http://www.google.co.uk/search?hl=en-GB&source=hp&q=bharuch+khajan&gbv=2&rlz=1R2DKUK_en&oq=bharuch+khajan&gs_l=heirloom-hp.3..0i10j0i30.194452.197385.0.197744.14.12.0.2.2.0.94.935.12.12.0...0.0...1c.1.Q0K0XRgZ1uo" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB7.4; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/2)" 81.109.131.6 - - [04/Oct/2012:23:40:23 +0530] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB7.4; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/2)" 81.109.131.6 - - [04/Oct/2012:23:40:23 +0530] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)" 81.109.131.6 - - [04/Oct/2012:23:40:41 +0530] "GET /index.php?cPath=2&osCsid=701d7bfe51662cd5f6f1aef7ea76349c HTTP/1.1" 404 - "http://www.google.co.uk/search?hl=en-GB&source=hp&q=bharuch+khajan&gbv=2&rlz=1R2DKUK_en&oq=bharuch+khajan&gs_l=heirloom-hp.3..0i10j0i30.194452.197385.0.197744.14.12.0.2.2.0.94.935.12.12.0...0.0...1c.1.Q0K0XRgZ1uo" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB7.4; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/2)" 81.109.131.6 - - [04/Oct/2012:23:40:48 +0530] "GET /contact_us.php HTTP/1.1" 404 - "http://www.google.co.uk/search?hl=en-GB&source=hp&q=bharuch+khajan&gbv=2&rlz=1R2DKUK_en&oq=bharuch+khajan&gs_l=heirloom-hp.3..0i10j0i30.194452.197385.0.197744.14.12.0.2.2.0.94.935.12.12.0...0.0...1c.1.Q0K0XRgZ1uo" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB7.4; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; BRI/2)" 180.76.5.147 - - [04/Oct/2012:23:41:30 +0530] "GET /conditions.php?osCsid=5ft2aqpljc0h5ol50okov96291 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.58 - - [04/Oct/2012:23:41:36 +0530] "GET /conditions.php?osCsid=7eph8t72r0lgq9il74o5l3qg80 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.97 - - [04/Oct/2012:23:41:41 +0530] "GET /product_info.php?products_id=143%3FosCsid%3Dbjknq8justejhspciv5pu2ocv7&osCsid=gcu5b1vfnph4eagvka4hd5ne80 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.65 - - [04/Oct/2012:23:41:46 +0530] "GET /conditions.php?osCsid=b2rcde2smavverljep5gvtm2b0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.29 - - [04/Oct/2012:23:48:42 +0530] "GET /conditions.php?osCsid=q9pdaa39k8ci4m6u86snr9c8v4 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.166 - - [04/Oct/2012:23:48:47 +0530] "GET /conditions.php?osCsid=da2tph9vgrh3ktd515hc3mum40 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.172 - - [04/Oct/2012:23:48:52 +0530] "GET /conditions.php?osCsid=icvn1ophilgc38ibmtdvhp2a67 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.223 - - [04/Oct/2012:23:48:57 +0530] "GET /conditions.php?osCsid=k026eg13k6q13j1pu0vv9j8q44 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.6.231 - - [04/Oct/2012:23:55:56 +0530] "GET /conditions.php?osCsid=nkh29p2e9fd4bbr7043d4ki9k2 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.186 - - [04/Oct/2012:23:56:01 +0530] "GET /conditions.php?osCsid=onops6c17cq7bbofsgt28rbd55 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.192 - - [04/Oct/2012:23:56:06 +0530] "GET /product_info.php?products_id=148?osCsid=v3a3d1sv199gqr3ga5k3r0eqm7 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 180.76.5.175 - - [04/Oct/2012:23:56:11 +0530] "GET /conditions.php?osCsid=s54ui0kd932jo5duo81h3oqk14 HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" This issue is with this domain only, also there are files as mentioned in the mail in /tmp dir, but exploits are quarantined by CXS. I have also deleted the files from /tmp but that does not helped.

Posted by Ramprage, 10-04-2012, 02:37 PM
What version of osCommerce are you using? It's probably and outdated version that needs patching.

Posted by www_webhost, 10-04-2012, 02:46 PM
we have terminated the entire account and just setup a blank account now it no OScom related file just 1 index.html file to display website under construction. Right now i have even terminated the account from server to see that even if now hacker can upload the exploit or not.

Posted by steven99, 10-04-2012, 05:09 PM
Was there an error document setup that went to a php or other cgi file? What could happen here is that cxs sees the post of a attempt to file upload and as the file doesn't exist, it goes to 404 handler which then cxs sees as an upload and it is blocked. Does the file at /quarantinefolder/nobody/20121004-224410-UG3D4myj18IAADxvHjcAAAAK-file-b1Q37H.1349370850_1 exist at all? If so, can you tell what the script is doing? (Don't post it here) If you can see what it is doing, it may lead you down a path to see other items.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
lighttpd and rails (Views: 237)