CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

BeveilingsLek in 1.11.4 ?

https://forum.cmsmadesimple.org/viewtopic.php?t=65375

Page 1 of 1

BeveilingsLek in 1.11.4 ?

Posted: Sat Feb 23, 2013 3:51 pm
by hendrik
Tot mijn grote verbazing ??? ontving ik vandaag van meerdere account een melding van mijn hosting provider dat er spam via mijn account`s verstuurt wordt.
Bij controle van de root van diverse domeinen trof ik een onbekend php bestand aan wat de hackers daar blijkbaar hadden kunnen plaatsen.
ik hou mijn installaties van cmsms altijd bewust up to date en toch moet er ergens een lek zitten.
Hier de inhoud van het php file afkomstig uit de rusian federation.
001.jpg
Hieronder hoe het hackfile geplaatst was in de root.
hack ds.jpg

De aanval ziet er als volgt uit in de stats:

Code: Select all

31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4a4d.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4a4d.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4a4d.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:26 +0100] "POST /.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /backups/.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /backups/.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /backups/.4b84.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:27 +0100] "POST /.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /domains/.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /domains/.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /domains/.890c.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:28 +0100] "POST /.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /imap/.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /imap/.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /imap/.951a.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:29 +0100] "POST /.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/ mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/ mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/ mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:30 +0100] "POST /domains/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST / mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST / mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST / mijndomein.nl/.d514.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST /.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST /.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:31 +0100] "POST /.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/ mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/ mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/ mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST /imap/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:32 +0100] "POST / mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST / mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST / mijndomein.nl/.a0f0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST /.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST /.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST /.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:33 +0100] "POST /domains/ mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/ mijndomein.nl/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:34 +0100] "POST /domains/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST /domains/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST / mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST / mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST / mijndomein.nl/awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST /awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST /awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:35 +0100] "POST /awstats/.cd34.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /domains/ mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /domains/ mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:36 +0100] "POST /domains/ mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/ mijndomein.nl/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/ mijndomein.nl/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/ mijndomein.nl/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST /domains/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:37 +0100] "POST / mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST / mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST / mijndomein.nl/logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST /logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST /logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST /logs/.a8d0.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:38 +0100] "POST /.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:39 +0100] "POST /domains/ mijndomein.nl/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST /domains/ mijndomein.nl/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST /domains/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST /domains/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST /domains/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST / mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST / mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:40 +0100] "POST / mijndomein.nl/private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /private_html/.e096.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:41 +0100] "POST /.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/ mijndomein.nl/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/mijndomein.nl/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:42 +0100] "POST /domains/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /domains/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /domains/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST / domein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST / domein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /domein.nl/public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:43 +0100] "POST /public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:44 +0100] "POST /public_ftp/.2b4f.php HTTP/1.1" 404 590 "-" "-"
31.184.244.18 - - [19/Feb/2013:11:18:44 +0100] "POST /.86be.php HTTP/1.1" 200 60325 "-" "-"

Re: BeveilingsLek in 1.11.4 ?

Posted: Sat Feb 23, 2013 7:19 pm
by boschie
Weet je zeker dat het van CMS Made Simple moet komen?

Ik heb een server gehackt gehad door een verouderde Plesk versie.

De bestanden hoeven per definitie niet via het cms binnen gekomen te zijn.

Met vriendelijke groet,
boschie

(edit: woordje "niet" aangevuld)

Re: BeveilingsLek in 1.11.4 ?

Posted: Sat Feb 23, 2013 7:28 pm
by hendrik
boschie wrote:Weet je zeker dat het van CMS Made Simple moet komen?

Ik heb een server gehackt gehad door een verouderde Plesk versie.

De bestanden hoeven per definitie via het cms binnen gekomen te zijn.

Met vriendelijke groet,
boschie
Hoi,

Nou volgens mij heeft mijn provider z`n zaken goed voor elkaar,
Webruimtehosting.nl .
Maar goed niets is uit te sluiten.
Ik ben benieuwd of er nog meer cmsms gebruikers bij deze provider draaien en of zij ook last hebben gehad.

Re: BeveilingsLek in 1.11.4 ?

Posted: Sun Feb 24, 2013 9:39 am
by velden
Liever zou je weten of er andere NIET cmsms gebruikers zijn bij dezelfde provider die er OOK last van hebben gehad. Daarmee kun je dan cmsms min of meer uitsluiten.

Of andere cmsms gebruikers bij een andere provider die er ook last van hebben. En dan inderdaad nog vergelijken op versies van admin tools etc die de provider aanbiedt.

Re: BeveilingsLek in 1.11.4 ?

Posted: Sun Feb 24, 2013 9:52 am
by hendrik
velden wrote:Liever zou je weten of er andere NIET cmsms gebruikers zijn bij dezelfde provider die er OOK last van hebben gehad. Daarmee kun je dan cmsms min of meer uitsluiten.

Of andere cmsms gebruikers bij een andere provider die er ook last van hebben. En dan inderdaad nog vergelijken op versies van admin tools etc die de provider aanbiedt.
Hoi, ja dat is precies.

Ik heb de files verwijderd maar de oorzaak dat de spamfiles in de root van de sites zijn gekomen is nog niet gevonden.
Ze kunnen er dus weer ieder moment weer staan.

vrg, Hendrik

Re: BeveilingsLek in 1.11.4 ?

Posted: Sun Feb 24, 2013 10:30 am
by staartmees
Googlen op "vulnerability Webruimtehosting.nl" laat zien dat deze provider toch wel geregeld opduikt in spam- en andere ongewenste bestanden.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited