On an affected (0.7.19) site I cleaned all kinds off dynamic link folders with names like 1.txt, 2.txt, 3.txt In the e107_files/cache I found phpinfo.php In the root I found comeon.php, m22.php and u.php. Make sure you get rid of these too!
I considered it a fix because I had read elsewhere that some sites with v.7.22 had also had a problem. I don't know if they may have been hit before the upgrade, but until the dust settles I needed to remove the problem.
Here are some of the IP's part of this attack: 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
I thought I was going crazy yesterday with my server and mysql dying on me the whole time. Reading this post this morning explained a lot to me.
There is a script running trying to access: "contact.php and help_us.php"
A quick fix would be for server admins to check apache logs and just firewall the IP's that attempt to connect to "help_us.php".
None of my sites have been compromised and I'm running various versions of e107... Only I am experiencing DDoS like activity.
for security sake I didn´t write the all query they tried to execute, but on a second though here is all the query from one of them (they were all the same) so your can check they are trying to upload a gif
Are you sure this is the same attack? Seems like different files than what the contact.php attack is about.
I did some ip lookups to see where they are. If you are sure they are the source, and not just infected systems, you could do a whois to find out who to report the abuse to maybe? In case it's an account, not an owner.
Name sabotaj Status REGISTERED (What this means) How to dispute this registration Registered October 8, 2009 Last update October 8, 2009, 5:15 pm Registrant Name ENES OKTAR Organisation None Language English Address Atyk Veysel Cad 28/1 daire/9 06290 ankara ankara-kacioren Germany +49 05073466556 Email "rocco-tie@msn. com" Email "domain.manager @publicdomainregistry.com" Registrar technical contacts Name Domain Manager Organisation "PublicDomainRegistry .com" Language English Address
14525 SW Milliken #48732 97005-2343 Beaverton Oregon United States
Main script file is ooo.php which contains all the code for backdoor installation of other scriots and connect to server etc. Huge one as I was browsing through it. Two tgz files contain the same script in compressed form. .config.ini.php seems to be empty redirecting file. The command that was logged in webserver are as follows
Mon Jun 7 03:33:37 2010: '/usr/bin/php /home/***/public_html/***/.config.ini.php ' (Exe: php [/usr/bin/php], Script: '/home/****/public_html.***/.config.ini.php', Domain: ***, Request: '/.config.ini.php?act=phptools&host=184.108.40.206&time=120&port=53&type=udp', Accessed from: 220.127.116.11) - of ****** has used 101.6 %CPU
All commands are in same format with same ip numbers.
e107 version was 0.7.17
I had updated main site to .22 but failed to update another one. Main site is ok but this one came under ddos attack. Though it was not production site as yet so no harm.
I have saved ooo.php file. If devs want to look at may be I can send it . It contains fully configured irc trojan. File searching, automated recursive dir , full mysql functions and connect to port 6667 , sends mail etc. It contains following info
oded by Enqu!nx & TurkTegin /* MAIL http://sabotaj. eu , http://sabotaj. eu
I don't know how this file or compressed files were uploaded as FTP seems intact.
Now I have deleted all files and fresh install for site .22 ver has been done. Will request admin to reactivate the site.
All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL license. With the kind support of Corllete Lab Studio. Forum Icons by Axialis Team.