e107help.org Q&A
0 like 0 dislike

Not so much a question as a warning. Last week my site OSL282 was compromised in that the front page displayed lots of weird characters and not the actual homepage. I was away from home so couldn't check it out either.

I eventually traced it to a file 'e2.php' that was uploaded on 8th November, then a 76mb folder called 'xpqo' uploaded on 9th November which had 2 subfolders with files that looked like 'cache' files.

I don't know how the file and folders got there as there is only Main Admin Access on site with no user registration available, but have deleted them and changed all passwords including server login.

Yes I could update to v2.0 but have no real need of all the new features on what is effectively a static site.

Worst part, my host says they don't have logs to check where the rogue files could have come from...

Anyone out there using v1.0.4 be aware of what to look for if you encounter problems, or have any more info on this?

EDIT: forgot to add server is running on PHP 5.6.22

e107 version 1.0.4
closed with the note: Resolved my individual issue
in Core by (18 points) 2 3 3
closed by

1 Answer

0 like 0 dislike

Hey C6Dave yes  Thanks for posting (will keep an eye out)
Do you have no Admin or cPanel panel logs system that represents errors and so on.. maybe i those listings find a post command.... (just an idea)

by (3.3k points) 8 9 11
Finally found a way to generate a log going back 30 days and e2.php 1st appeared on 8/11 as follows:

 

08/11/17

osl282.info 77.45.254.57 - - [08/Nov/2017:10:56:36 +0000] "GET /e2.php HTTP/1.1" 200 51984 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 77.45.254.57
osl282.info 77.45.254.57 - - [08/Nov/2017:10:56:48 +0000] "POST /e2.php HTTP/1.1" 200 10540 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 77.45.254.57
osl282.info 77.45.254.57 - - [08/Nov/2017:10:56:56 +0000] "POST /e2.php HTTP/1.1" 200 21241 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 77.45.254.57

09/11/17

osl282.info 89.208.212.74 - - [09/Nov/2017:16:44:43 +0000] "GET /e2.php HTTP/1.1" 200 52486 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:00 +0000] "POST /e2.php HTTP/1.1" 200 52486 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:06 +0000] "POST /e2.php HTTP/1.1" 200 9717 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:13 +0000] "POST /e2.php HTTP/1.1" 200 10377 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:19 +0000] "POST /e2.php HTTP/1.1" 200 11025 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:26 +0000] "GET /xpqo/system.php?ar=34esd23.zip HTTP/1.1" 200 272 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:32 +0000] "GET /xpqo/read.php?hl=News HTTP/1.1" 200 7513 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:37 +0000] "POST /e2.php HTTP/1.1" 200 13337 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:46 +0000] "POST /e2.php HTTP/1.1" 200 12045 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74
osl282.info 89.208.212.74 - - [09/Nov/2017:16:45:50 +0000] "POST /e2.php HTTP/1.1" 200 10715 "http://osl282.info/e2.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1" 89.208.212.74

The first 77.45.254.57  is also a ru based (dsl ip) (day 08)

second  89.208.212.74, also located in ..., Russian Federation and belongs to DINET-AS, RU.   reroutes to Virgin Islands..( day 09)

However these might be used as overlay. (Likely used chrome based/khtml browsers (2 versions) but . Windows 7 or /Windows server 2008 in use)

What worries is the POST command : why does your host/site allows  this ( eg owner rights as post is a common command).. (think some shell is in use or alike..
(note : all this information is freely available and in no way means those ip's listed are the actual ones that were in use, spoofing etc may have happened.)

Yes I saw the ru domains but like you felt they are 'spoofed'

Bit more digging found via Google Console that the rogue directories contained hundreds of links to other sites, basically it made the site a 'link farm'

I used some of the old 'site hardening' code to redirect some of the cr*p to the users desktop....

An oldy (had to search; not supported anymore i think, but it helped me years ago..since the attack is likely used for older systems might be of use > CrawlProtect anf of course ZB Block yes (fight old with old; sometimes works good cool but do not tell around how you did things...

Welcome to e107 Q&A, where you can ask questions and receive answers from other members of the e107 community.
966 questions
1,365 answers
2,461 comments
2,437 users