I downloaded it and Windows Defender immediately fired off a virus warning.
I logged into CMSMS admin and I could see it was uploaded via File Manager.
Apache showed the login attempts from a German IP address, Deutsche Telekom AG (I'm in UK). User-agent shows "Windows NT 6.1" (Vista) so almost certainly a virus bot at work.
First login attempt in admin log failed, Apache said:
Code: Select all
www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:17:19 +0100] "POST /admin/login.php HTTP/1.1" 200 5067 "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???
Code: Select all
www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:18:28 +0100] "POST /admin/login.php HTTP/1.1" 302 - "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???
www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:18:28 +0100] "POST /admin/login.php HTTP/1.1" 302 - "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???
My password is very strong, so any ideas how they got in?