EDMC73.com - hack

Apache

anonymous@undisclosed.example.com (Anonymous) — Wed, 08 Jan 2020 08:25:39 +0000

Apache Ce que l’on peut voir dans les logs apaches... 5.101.0.209 - - [07/Jan/2020:00:06:41 +0100] "GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1" 302 1343 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 5.101.0.209 - - [07/Jan/2020:00:11:18 +0100] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1" 302 1389 "-" "Mozilla/5.…

exe

anonymous@undisclosed.example.com (Anonymous) — Thu, 23 Jan 2020 21:58:12 +0000

exe Cas d’un binaire exécutable qui tourne mais donc le fichier n’existe plus # ps aux | grep cron toto 25643 0.0 0.0 145924 1228 ? S 09:01 0:01 ./cron.php -e0.0.0.0 -p31756 # ls -l /proc/25643/exe lrwxrwxrwx 1 toto toto 0 janv. 23 22:51 /proc/25643/exe -> /var/www/toto/plugins/xmap/com_mtree/cron.php (deleted)

Rechercher

anonymous@undisclosed.example.com (Anonymous) — Wed, 05 Feb 2020 20:53:31 +0000

Rechercher # grep -rHin --color '\\x' --include \*.php * # grep -rHin --color '}function' --include \*.php * # grep -rHin --color 'eval(' --include \*.php * # grep -rHin --color 'eval (' --include \*.php * # grep -rHin --color 'base64_decode' --include \*.php *

Script1

anonymous@undisclosed.example.com (Anonymous) — Thu, 23 Jan 2020 22:15:08 +0000

Script1 Exemple d’un script retrouvé sur un site