File upload method

K

Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
Hello,

I have CXS and it blocked a suspicious file -

Code: 
Scan Status     Fingerprint
Scan Time    Sun Sep 19 20:48:59 2021
Scan Type    Web
Original File    /tmp/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97
Original File Size    621B
Original File Type    FingerPrint
Original File Owner    nobody/nobody (65534/65534)
Original File Perms    -rw------- (0600)
Original File atime    Sun Sep 19 20:48:59 2021
Original File ctime    Sun Sep 19 20:48:59 2021
Original File mtime    Sun Sep 19 20:48:59 2021
Original File md5sum    b2abcadb37fdf9fb666f10c18a9d30ee
Original File Status    Quarantined file (exists)
Quarantine File    /home/quarantine/cxscgi/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97.1632055739_1
Web User    nobody (65534)
Web Script Owner    ()
Web Script File    /home/xxxxxxxxx/public_html/billing/modules/vtemskitter
Web Script URL    https://xxxxxxxxxxxxxxxxxxxxx//modules/vtemskitter/uploadimage.php
Web Remote IP    62.4.31.171
Web Remote Referrer  
Scan Message    Known exploit = [Fingerprint Match] [Hacker Sig Exploit [P1810]]
I'd like to know how exactly this file got uploaded?

- FTP disabled (globally)
- SSH disabled

/var/log/messages - nothing there

Raw access log -

Code: 
62.4.31.171 - - [19/Sep/2021:20:48:05 +0800] "GET //modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31838 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:07 +0800] "GET //modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31845 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:09 +0800] "GET //modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31843 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:10 +0800] "GET //modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31850 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:11 +0800] "GET //modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31839 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:13 +0800] "GET //modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31846 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:14 +0800] "POST //modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 31836 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:22 +0800] "POST //modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=XSam-XAdoo&data_type=image HTTP/1.1" 404 31804 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:29 +0800] "GET //modules/jmsslider/views/img/layers/xsam_xadoo_bot.php HTTP/1.1" 404 31821 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:40 +0800] "POST //modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 404 31818 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:52 +0800] "POST //modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 404 31826 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:54 +0800] "GET //modules/verticalmegamenus/images/temps/xsam_xadoo_bot.php HTTP/1.1" 404 31825 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:55 +0800] "POST //modules/fieldvmegamenu/ajax/upload.php HTTP/1.1" 404 31806 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:57 +0800] "GET //modules/fieldvmegamenu/uploads/xsam_xadoo_bot.php HTTP/1.1" 404 31817 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:59 +0800] "POST //modules/vtemskitter/uploadimage.php HTTP/1.1" 404 31803 "-" "python-requests/2.26.0"
Any ideas?

Thanks
 
Last edited by a moderator:
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
14,307
2,239
363
cPanel Access Level
Root Administrator
Hey there! Is the uploadimage.php file not normally a part of the software being used? If not, I'd be checking that site's software for plugins that could be vulnerable. It's also possible this happened through the cPanel >> File Manager tool if someone got the cPanel password for the account.
 
K

Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
cPRex said:
Hey there! Is the uploadimage.php file not normally a part of the software being used? If not, I'd be checking that site's software for plugins that could be vulnerable. It's also possible this happened through the cPanel >> File Manager tool if someone got the cPanel password for the account.
Click to expand...
Hi thanks for the reply. No it's not a part of the script. I will reset my cpanel password.. what is the meaning of this "python-requests/2.26.0" any ideas?
 
Q

quietFinn

Well-Known Member
Feb 4, 2006
1,842
427
438
Finland
cPanel Access Level
Root Administrator
I find this interesting...

In CXS message it says the script used is:
Web Script URL https://xxxxxxxxxxxxxxxxxxxxx//modules/vtemskitter/uploadimage.php
and:
Original File /tmp/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97

In the Raw Access log we see:
62.4.31.171 - - [19/Sep/2021:20:48:59 +0800] "POST //modules/vtemskitter/uploadimage.php HTTP/1.1" 404 31803 "-" "python-requests/2.26.0"

Status code is 404 so that file /modules/vtemskitter/uploadimage.php does not exist.

How can the uploadimage.php script create a file in /tmp if uploadimage.php does not exist?

Btw if you search for "vtemskitter vulnerability" you get some interesting results.
 
K

Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
quietFinn said:
I find this interesting...

In CXS message it says the script used is:
Web Script URL https://xxxxxxxxxxxxxxxxxxxxx//modules/vtemskitter/uploadimage.php
and:
Original File /tmp/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97

In the Raw Access log we see:
62.4.31.171 - - [19/Sep/2021:20:48:59 +0800] "POST //modules/vtemskitter/uploadimage.php HTTP/1.1" 404 31803 "-" "python-requests/2.26.0"

Status code is 404 so that file /modules/vtemskitter/uploadimage.php does not exist.

How can the uploadimage.php script create a file in /tmp if uploadimage.php does not exist?

Btw if you search for "vtemskitter vulnerability" you get some interesting results.
Click to expand...
Yea exactly.. i don't see any uploads etc but no idea how they're trying to upload this file..
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
Tarak Nath Specific file name upload restriction Security 1
B Is anyone here able to set up modsecurity so it scans file uploads in real time and rejects malicious ones. Security 1
C Block certain files from ever being uploaded on the server / block IPs that attempt to? Security 2
H How to find IP address who viewed and uploaded file in my server Security 2
G Server trying to upload binary files? Security 2
Similar threads
Specific file name upload restriction
Is anyone here able to set up modsecurity so it scans file uploads in real time and rejects malicious ones.
Block certain files from ever being uploaded on the server / block IPs that attempt to?
How to find IP address who viewed and uploaded file in my server
Server trying to upload binary files?
Top Bottom