Malicious Activity POST requests

2 posts by 2 authors in: Forums > CMS Builder
Last Post: July 28, 2017   (RSS)

By zaba - July 26, 2017

I Have noticed some disguised files scattered around my site. Which has affected my site. I have managed to remove the files and restore from backup. But it keeps happening. I have noticed some POST requests in the log files that look suspicious.

one such post request is

"POST /cms/3rdParty/TinyMCE4/plugins/visualblocks/css/visualblocks.php HTTP/1.1"

I checked the server and deleted this file, I have no idea how it got there as its not supposed to be there.

I have changed permissions and used your exploit scanner searched through logs and removed any non-welcome files.

I was wondering if I can create a whitelist of allowable POST files.

I just wanted to know of the files I need to whitelist for the normal functioning of cmsb.

Here is an example of the whitelist I want to add in .htaccess.

# whitelist POST requests
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} !/contact.php [NC]
RewriteCond %{REMOTE_ADDR} !127.0.0.1 
RewriteRule .* - [F,L]
</IfModule>

By Dave - July 28, 2017

Hi zaba, 

The underlying issue is likely that a malicious user (or more likely an automated script run by a malicious user) has found a way to create files on your server.  

This happens a lot on the internet is most often caused by running popular out-of-date 3rd party software with known security vulnerabilities.  The more common a program the more likely hackers have added the exploit signature to security scanners so they automatically check for it.

Alternatively, it could just be an unescaped mysql value on a custom coded page.

Anyways, what you need to do is find the entry point.  One way to do that is check your logs for the IP of the person accessing the created file (visualblocks.php).  Since no one else would no about that file except the attacker, it should be easy to isolate their IP.  Then scan your logs for all the pages accessed by that IP and look for a possible entry point.  Several requests before visualblocks.php there would have been one where they created the file. 

One trick is to check the created/modified time on visualblocks.php.  That should match the date in the log files when the file was created and give you an idea where to look.  

Once you find the entry point you want to upgrade that script to the latest version (if it's a 3rd party script) or patch that file if it has a security vulnerability.

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com