Доброй ночи уважаемые форумчане!
На днях хостер приостановил обслуживание сайта, на e-mail пришло письмо "Ваш сайт скомпрометирован и стал источником спама".
Первым делом скачал бекап сайта на компьютер, при проверки его nod'ом, нашелся вредоносный файл "ccs.php" (PHP/WebShell.NAG троянская программа) в /templates/ccs.php. Поискал данный файл и все что делал этот IP в access_log, нашлись строчки:
193.110.73.2 - - [22/Mar/2014:22:21:54 +0400] "GET / HTTP/1.0" 200 88784 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; WebMoney Advisor; MRA 5.0 (build 02094); MRSPUTNIK 2, 0, 0, 20 SW)"
193.110.73.2 - - [22/Mar/2014:22:21:59 +0400] "GET /templates/bizblue/favicon.ico HTTP/1.0" 200 1685 "-" "-"
193.110.73.2 - - [30/Mar/2014:01:05:33 +0400] "GET /engine/classes/min/index.php?f=engine/data/dbconfig.php%00.js HTTP/1.0" 404 569 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0"
193.110.73.2 - - [01/Apr/2014:11:53:58 +0400] "POST /index.php HTTP/1.0" 200 144867 "http://mywebsite.ru/index.php" "Python-urllib/2.7"
193.110.73.2 - - [01/Apr/2014:11:54:00 +0400] "POST /index.php HTTP/1.0" 200 159 "http://mywebsite.ru/index.php" "Python-urllib/2.7"
193.110.73.2 - - [01/Apr/2014:11:54:01 +0400] "GET /templates/ccs.php?input HTTP/1.0" 200 13105 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
193.110.73.2 - - [01/Apr/2014:12:32:40 +0400] "POST /templates/ccs.php?input HTTP/1.0" 200 13105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)"
193.110.73.2 - - [01/Apr/2014:12:32:40 +0400] "POST /templates/ccs.php?input HTTP/1.0" 200 26457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)"
193.110.73.2 - - [01/Apr/2014:12:32:40 +0400] "POST /templates/ccs.php?input HTTP/1.0" 200 16718 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)"
193.110.73.2 - - [01/Apr/2014:12:32:40 +0400] "POST /templates/ccs.php?input HTTP/1.0" 200 7628 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)"
193.110.73.2 - - [01/Apr/2014:12:32:40 +0400] "POST /templates/ccs.php?input HTTP/1.0" 200 7628 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)"
193.110.73.2 - - [01/Apr/2014:12:32:40 +0400] "POST /templates/ccs.php?input HTTP/1.0" 200 7628 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)"
В error_log данный IP наделал ошибок:
[Sun Jan 19 01:50:30 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/httpdocs/backup, referer: http://bing.com
[Sun Jan 19 01:50:30 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/error_docs/not_found.html, referer: http://bing.com
[Sun Jan 19 01:50:30 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/httpdocs/backups, referer: http://google.com
[Sun Jan 19 01:50:30 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/error_docs/not_found.html, referer: http://google.com
[Sun Jan 19 01:50:30 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/httpdocs/admin, referer: http://yandex.ru
[Sun Jan 19 01:50:30 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/error_docs/not_found.html, referer: http://yandex.ru
[Sun Jan 19 14:18:34 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/httpdocs/plugins/editors/tinymce/jscripts
[Sun Jan 19 14:18:34 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/error_docs/not_found.html
[Sun Jan 19 15:29:39 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/httpdocs/phpMyAdmin
[Sun Jan 19 15:29:39 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/error_docs/not_found.html
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: PHP Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Invalid URI detected.' in /var/www/vhosts/mywebsite.ru/httpdocs/libraries/joomla/environment/uri.php:194
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: Stack trace:
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: #0 /var/www/vhosts/mywebsite.ru/httpdocs/libraries/joomla/environment/uri.php(238): JURI::getInstance()
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: #1 /var/www/vhosts/mywebsite.ru/httpdocs/libraries/joomla/environment/uri.php(277): JURI::base()
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: #2 /var/www/vhosts/mywebsite.ru/httpdocs/plugins/system/azrul.system/pc_includes/helper.php(16): JURI::root()
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: #3 /var/www/vhosts/mywebsite.ru/httpdocs/plugins/system/azrul.system/azrul.system.php(25): include_once('/var/www/vhosts...')
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: #4 /var/www/vhosts/mywebsite.ru/httpdocs/libraries/joomla/plugin/helper.php(171): require_once('/var/www/vhosts...')
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: #5 /var/www/vhosts/mywebsite.ru/httpdocs/libraries/joomla/plugin/helper.php(125): JPluginHelper::_import(Object(stdClass), true, NULL)
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: #6 /var/www/vhosts/mywebsite.ru/httpdocs/libraries/joomla/application/application.php(229): JPluginHelper::importPlugin('system')
[Thu Mar 06 07:39:52 2014] [warn] [client 193.110.73.2] mod_fcgid: stderr: #7 /var/www/vhosts/mywebsite.ru/httpdocs/incl in /var/www/vhosts/mywebsite.ru/httpdocs/libraries/joomla/environment/uri.php on line 194
[Sun Mar 30 01:05:33 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/httpdocs/engine
[Sun Mar 30 01:05:33 2014] [error] [client 193.110.73.2] File does not exist: /var/www/vhosts/mywebsite.ru/error_docs/not_found.html
В логах авторизаций по FTP только мой IP.
Открою одну тайну, на сайте установлены 2 платных компонента которые очень давно не обновлялись, это JomSocial и EasyBlog.
Все же, невзирая на не обновленные компоненты, можно ли сказать по логам как был залит файл ccs.php?
31.03.2024, 16:14:32