On Wed, Jul 6, 2022 at 9:08 AM KK CHN <kkchn...@gmail.com> wrote: > On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz <yeh...@ymkatz.net> wrote: > >> Your log doesn't start early enough. Someone uploaded a web shell (or >> found an existing web shell) to your server, possibly using an upload for >> that doesn't validate the input, then used that shell to run commands on >> your server. >> > Here is another old log paste > https://zerobin.net/?a4d9f5b146676594#hkpTU0ljaG5W0GUNVEsaYqvffQilrXavBmbK+V9mzUw= > >
I see an entry in that log file mentioning a web shell on June 19: 175.141.226.202 - - [19/Jun/2022:03:35:03 +0530] "GET /dashboard/upload/wordpdf/origiinal-shellbackdoor-anonymous-bypass-kak827j.php?path=/var/www/html HTTP/1.1" You can see the same IP address added a second hidden shell (gel4y - an open-source hidden shell). > I would like to know what other details / analysis we need to perform to > find out how the attacker got access and what time the backdoor was > installed and through what vulnerability they exploited ? > I request your tips to investigate further and to find the root cause of > this kind of attack and how to prevent it in future..?? > As I said before, you need to make sure your webserver will not try to execute files uploaded by users. Since you mentioned Wordpress: Wordpress is well known for having this vulnerability because uploads are stored in a public location by default. Make sure none of your plugins allow file uploads with unspecified extensions - for example, an upload form for pictures should check to make sure that what was uploaded is actually a picture before moving it to the wp-content/uploads directory. You should also look into blocking execution of PHP and other scripts in the wp-content/uploads directory (and any other location an untrusted user may be able to upload to). - Y
