Hi,
Do you still have the files? Have you involved your security team/contacts?
These are clear indications of a compromised system, and I've recently seen carding gangs becoming more aware of i systems in various other locations.
You should probably get outside help.
/y
On 08/08/2023, 10:08, "MIDRANGE-L on behalf of Don Brown via MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx <mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of midrange-l@xxxxxxxxxxxxxxxxxx <mailto:midrange-l@xxxxxxxxxxxxxxxxxx>> wrote:
Hi team - I need some help!
I discovered some directories in the IFS that were not there yesterday.
We are using PHP Zend server 7 to provide a web portal for our
application.
Today I found directories in /www/zendphp7/htdocs including
Object Type Owner Size Data
amzn.zip *STMF QTMHHTTP 3145728 Yes
amznbvn *DIR QTMHHTTP 8192 Yes
hehe.php *STMF QTMHHTTP 32768 Yes
hte.php *STMF QTMHHTTP 32768 Yes
subanus *DIR QTMHHTTP 8192 Yes
us.php *STMF QTMHHTTP 16384 Yes
xcbxcb *DIR QTMHHTTP 8192 Yes
on a system.
These are in the directory /www/zendphp7/htdocs/
The authorities are as follows.
Directory /www
*PUBLIC *RWX
QSYS *RWX
QTMHHTTP *RWX
Directory /www/zendphp7
*PUBLIC *EXCLUDE
QTMHHTTP *RWX
Directory /www/zendphp7/htdocs
*PUBLIC *EXCLUDE
QTMHHTTP *RX
I found in the access_log
host-156.210.234.190-static.tedata.net - - [08/Aug/2023:00:05:33 +1000]
"GET //xcbxcb/all_result/FULLZ.HTML HTTP/1.1" 404 196 "-" "Mozilla/5.0
(X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
156.210.190.234 - - [08/Aug/2023:00:05:35 +1000] "GET /favicon.ico
HTTP/1.1" 404 196 "
https://xxxxxxxaccounts.xxx.net.au//xcbxcb/all_result/FULLZ.HTML"; <
https://xxxxxxxaccounts.xxx.net.au//xcbxcb/all_result/FULLZ.HTML">
"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
156.210.190.234 - - [08/Aug/2023:00:19:18 +1000] "GET
/hte.php?d=2f7777772f7a656e64706870372f6874646f63732f49544d41532f7863627863622
2f616c6c5f726573756c74 HTTP/1.1" 200 3371 "
https://xxxxxxxaccounts.xxx.net.au/hte.php?d=2f7777772f7a656e64706870372f6874646f63732f4954 <
https://xxxxxxxaccounts.xxx.net.au/hte.php?d=2f7777772f7a656e64706870372f6874646f63732f4954>
4d41532f7863627863622f616c6c5f726573756c74" "Mozilla/5.0 (X11; Linux
x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
And a whole heap more related messages.
I have blocked address 156.210.190.234 in the firewall - but I am sure
this is not a fix.
I have deleted the files and directories that were owned by QTMHHTTP above
but I do not understand how these were installed based on QTMHHTTP not
having Write authority to the htdocs directory ?
I do not know what security changes I should be implementing or where to
get the information on how to implement these changes.
Any suggestions gratefully appreciated.
Thanks
Don
--
This email has been scanned for computer viruses. Although MSD has taken reasonable precautions to ensure no viruses are present in this email, MSD cannot accept responsibility for any loss or damage arising from the use of this email or attachments..
midrange.com
