BeveilingsLek in 1.11.4 ?

Nederlandse ondersteuning voor CMS Made Simple

Moderator: velden

Post Reply
hendrik
Forum Members
Forum Members
Posts: 133
Joined: Tue Dec 01, 2009 4:47 pm

BeveilingsLek in 1.11.4 ?

Post by hendrik »

Tot mijn grote verbazing ??? ontving ik vandaag van meerdere account een melding van mijn hosting provider dat er spam via mijn account`s verstuurt wordt.
Bij controle van de root van diverse domeinen trof ik een onbekend php bestand aan wat de hackers daar blijkbaar hadden kunnen plaatsen.
ik hou mijn installaties van cmsms altijd bewust up to date en toch moet er ergens een lek zitten.
Hier de inhoud van het php file afkomstig uit de rusian federation.
001.jpg
Hieronder hoe het hackfile geplaatst was in de root.
hack ds.jpg

De aanval ziet er als volgt uit in de stats:

Code: Select all

31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4a4d.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4a4d.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4a4d.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /backups/.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /backups/.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /backups/.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /domains/.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /domains/.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /domains/.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /imap/.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /imap/.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /imap/.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/ mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/ mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/ mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST / mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST / mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST / mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST /.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST /.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST /.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/ mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/ mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/ mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST / mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST / mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST / mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST /.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST /.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST /.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST /domains/ mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST /domains/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST / mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST / mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST / mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST /awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST /awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST /awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /domains/ mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /domains/ mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /domains/ mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/ mijndomein.nl/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/ mijndomein.nl/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/ mijndomein.nl/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST / mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST / mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST / mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST /logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST /logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST /logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST /.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST /domains/ mijndomein.nl/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST /domains/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST /domains/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST /domains/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST / mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST / mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST / mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/mijndomein.nl/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /domains/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /domains/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST / domein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST / domein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /domein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:44 +0100] "POST /public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:44 +0100] "POST /.86be.php HTTP/1.1" 200 60325 "-" "-"
Attachments
hack ww.jpg
Last edited by hendrik on Sat Feb 23, 2013 8:12 pm, edited 4 times in total.
Top
boschie

Re: BeveilingsLek in 1.11.4 ?

Post by boschie »

Weet je zeker dat het van CMS Made Simple moet komen?

Ik heb een server gehackt gehad door een verouderde Plesk versie.

De bestanden hoeven per definitie niet via het cms binnen gekomen te zijn.

Met vriendelijke groet,
boschie

(edit: woordje "niet" aangevuld)
Last edited by boschie on Sat Feb 23, 2013 7:33 pm, edited 2 times in total.
Top
hendrik
Forum Members
Forum Members
Posts: 133
Joined: Tue Dec 01, 2009 4:47 pm

Re: BeveilingsLek in 1.11.4 ?

Post by hendrik »

boschie wrote:Weet je zeker dat het van CMS Made Simple moet komen?

Ik heb een server gehackt gehad door een verouderde Plesk versie.

De bestanden hoeven per definitie via het cms binnen gekomen te zijn.

Met vriendelijke groet,
boschie
Hoi,

Nou volgens mij heeft mijn provider z`n zaken goed voor elkaar,
Webruimtehosting.nl .
Maar goed niets is uit te sluiten.
Ik ben benieuwd of er nog meer cmsms gebruikers bij deze provider draaien en of zij ook last hebben gehad.
Top
User avatar
velden
Dev Team Member
Dev Team Member
Posts: 3497
Joined: Mon Nov 28, 2011 9:29 am

Re: BeveilingsLek in 1.11.4 ?

Post by velden »

Liever zou je weten of er andere NIET cmsms gebruikers zijn bij dezelfde provider die er OOK last van hebben gehad. Daarmee kun je dan cmsms min of meer uitsluiten.

Of andere cmsms gebruikers bij een andere provider die er ook last van hebben. En dan inderdaad nog vergelijken op versies van admin tools etc die de provider aanbiedt.
Top
hendrik
Forum Members
Forum Members
Posts: 133
Joined: Tue Dec 01, 2009 4:47 pm

Re: BeveilingsLek in 1.11.4 ?

Post by hendrik »

velden wrote:Liever zou je weten of er andere NIET cmsms gebruikers zijn bij dezelfde provider die er OOK last van hebben gehad. Daarmee kun je dan cmsms min of meer uitsluiten.

Of andere cmsms gebruikers bij een andere provider die er ook last van hebben. En dan inderdaad nog vergelijken op versies van admin tools etc die de provider aanbiedt.
Hoi, ja dat is precies.

Ik heb de files verwijderd maar de oorzaak dat de spamfiles in de root van de sites zijn gekomen is nog niet gevonden.
Ze kunnen er dus weer ieder moment weer staan.

vrg, Hendrik
Top
staartmees
Power Poster
Power Poster
Posts: 1049
Joined: Wed Mar 19, 2008 4:54 pm

Re: BeveilingsLek in 1.11.4 ?

Post by staartmees »

Googlen op "vulnerability Webruimtehosting.nl" laat zien dat deze provider toch wel geregeld opduikt in spam- en andere ongewenste bestanden.
Top
Post Reply

Return to “Dutch - Nederlands”