Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
Hello,

I have CXS and it blocked a suspicious file -

Code:
Scan Status     Fingerprint
Scan Time    Sun Sep 19 20:48:59 2021
Scan Type    Web
Original File    /tmp/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97
Original File Size    621B
Original File Type    FingerPrint
Original File Owner    nobody/nobody (65534/65534)
Original File Perms    -rw------- (0600)
Original File atime    Sun Sep 19 20:48:59 2021
Original File ctime    Sun Sep 19 20:48:59 2021
Original File mtime    Sun Sep 19 20:48:59 2021
Original File md5sum    b2abcadb37fdf9fb666f10c18a9d30ee
Original File Status    Quarantined file (exists)
Quarantine File    /home/quarantine/cxscgi/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97.1632055739_1
Web User    nobody (65534)
Web Script Owner    ()
Web Script File    /home/xxxxxxxxx/public_html/billing/modules/vtemskitter
Web Script URL    https://xxxxxxxxxxxxxxxxxxxxx//modules/vtemskitter/uploadimage.php
Web Remote IP    62.4.31.171
Web Remote Referrer  
Scan Message    Known exploit = [Fingerprint Match] [Hacker Sig Exploit [P1810]]
I'd like to know how exactly this file got uploaded?

- FTP disabled (globally)
- SSH disabled

/var/log/messages - nothing there

Raw access log -

Code:
62.4.31.171 - - [19/Sep/2021:20:48:05 +0800] "GET //modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31838 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:07 +0800] "GET //modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31845 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:09 +0800] "GET //modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31843 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:10 +0800] "GET //modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31850 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:11 +0800] "GET //modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 31839 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:13 +0800] "GET //modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/XsamXadoo_Bot_Rce.php HTTP/1.1" 404 31846 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:14 +0800] "POST //modules/smartprestashopthemeadmin/ajax_smartprestashopthemeadmin.php HTTP/1.1" 404 31836 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:22 +0800] "POST //modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=XSam-XAdoo&data_type=image HTTP/1.1" 404 31804 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:29 +0800] "GET //modules/jmsslider/views/img/layers/xsam_xadoo_bot.php HTTP/1.1" 404 31821 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:40 +0800] "POST //modules/groupcategory/GroupCategoryUploadImage.php HTTP/1.1" 404 31818 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:52 +0800] "POST //modules/verticalmegamenus/VerticalMegaMenusUploadImage.php HTTP/1.1" 404 31826 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:54 +0800] "GET //modules/verticalmegamenus/images/temps/xsam_xadoo_bot.php HTTP/1.1" 404 31825 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:55 +0800] "POST //modules/fieldvmegamenu/ajax/upload.php HTTP/1.1" 404 31806 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:57 +0800] "GET //modules/fieldvmegamenu/uploads/xsam_xadoo_bot.php HTTP/1.1" 404 31817 "-" "python-requests/2.26.0"
62.4.31.171 - - [19/Sep/2021:20:48:59 +0800] "POST //modules/vtemskitter/uploadimage.php HTTP/1.1" 404 31803 "-" "python-requests/2.26.0"
Any ideas?

Thanks
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Hey there! Is the uploadimage.php file not normally a part of the software being used? If not, I'd be checking that site's software for plugins that could be vulnerable. It's also possible this happened through the cPanel >> File Manager tool if someone got the cPanel password for the account.
 

Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
Hey there! Is the uploadimage.php file not normally a part of the software being used? If not, I'd be checking that site's software for plugins that could be vulnerable. It's also possible this happened through the cPanel >> File Manager tool if someone got the cPanel password for the account.
Hi thanks for the reply. No it's not a part of the script. I will reset my cpanel password.. what is the meaning of this "python-requests/2.26.0" any ideas?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,329
141
193
Finland
cPanel Access Level
Root Administrator
I find this interesting...

In CXS message it says the script used is:
Web Script URL https://xxxxxxxxxxxxxxxxxxxxx//modules/vtemskitter/uploadimage.php
and:
Original File /tmp/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97

In the Raw Access log we see:
62.4.31.171 - - [19/Sep/2021:20:48:59 +0800] "POST //modules/vtemskitter/uploadimage.php HTTP/1.1" 404 31803 "-" "python-requests/2.26.0"

Status code is 404 so that file /modules/vtemskitter/uploadimage.php does not exist.

How can the uploadimage.php script create a file in /tmp if uploadimage.php does not exist?

Btw if you search for "vtemskitter vulnerability" you get some interesting results.
 

Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
I find this interesting...

In CXS message it says the script used is:
Web Script URL https://xxxxxxxxxxxxxxxxxxxxx//modules/vtemskitter/uploadimage.php
and:
Original File /tmp/20210919-204859-YUcxu0gj6EP42MKu-dm9YAAAABM-file-VfJm97

In the Raw Access log we see:
62.4.31.171 - - [19/Sep/2021:20:48:59 +0800] "POST //modules/vtemskitter/uploadimage.php HTTP/1.1" 404 31803 "-" "python-requests/2.26.0"

Status code is 404 so that file /modules/vtemskitter/uploadimage.php does not exist.

How can the uploadimage.php script create a file in /tmp if uploadimage.php does not exist?

Btw if you search for "vtemskitter vulnerability" you get some interesting results.
Yea exactly.. i don't see any uploads etc but no idea how they're trying to upload this file..