sbarmen
2012-05-15 16:34:58 UTC
Not sure where to turn so I try to post this question here :)
I know that my web server has been exploited and someone/somsoftware still tries to continue the exploit but my investigations on what is actually going on has come to a halt.
What I know is that the perp/software is on ip 95.65.31.32 and they are sending a HTTP POST to the root of my web site. Here is the log from Apache:
95.65.31.32 - - [15/May/2012:16:27:15 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:28:50 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:28:51 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:08 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:09 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:27 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:27 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:31:01 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:31:01 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:36:59 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
Also I have installed mod_dumpio to get more details, but the only thing I see is a data-HEAP being posted to the server and I cannot for neither love nor money understand how the posted data gets converted to an email. Here is a snippet from my dumpio:
http://pastebin.com/kZLSNP57
You can see in the end it exits ith a sendmail statement. This now fails since I have pointed my sSMTP to a relay that requires SSL and user/pw just to stop the spam from routing. I do also have a dump of one of the emails it keeps sending but I am not sure that helps.
Now I do not know what to do next. I tried decoding the POST data but keep ending up with jibberish. Seems it uploads a file of some sorts so it does not make any sense to me.
Wordpress has been upgraded to the latest version and all plugins are updated, also I updated the Apache to 2.2.22 etc. I do think I have closed all holes but still there is something going on.... I was kinda hoping to find that there was a file it kept posting to so I could remove that file, but right now it feels a little like locating the needle in the haystack.
Of course I can just drop the source IP data, but if I am exposed I would really like to know ... :|
If anyone could help, please say so! Thanks :D
Best regards
Stian
I know that my web server has been exploited and someone/somsoftware still tries to continue the exploit but my investigations on what is actually going on has come to a halt.
What I know is that the perp/software is on ip 95.65.31.32 and they are sending a HTTP POST to the root of my web site. Here is the log from Apache:
95.65.31.32 - - [15/May/2012:16:27:15 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:28:50 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:28:51 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:08 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:09 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:27 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:27 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:31:01 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:31:01 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:36:59 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
Also I have installed mod_dumpio to get more details, but the only thing I see is a data-HEAP being posted to the server and I cannot for neither love nor money understand how the posted data gets converted to an email. Here is a snippet from my dumpio:
http://pastebin.com/kZLSNP57
You can see in the end it exits ith a sendmail statement. This now fails since I have pointed my sSMTP to a relay that requires SSL and user/pw just to stop the spam from routing. I do also have a dump of one of the emails it keeps sending but I am not sure that helps.
Now I do not know what to do next. I tried decoding the POST data but keep ending up with jibberish. Seems it uploads a file of some sorts so it does not make any sense to me.
Wordpress has been upgraded to the latest version and all plugins are updated, also I updated the Apache to 2.2.22 etc. I do think I have closed all holes but still there is something going on.... I was kinda hoping to find that there was a file it kept posting to so I could remove that file, but right now it feels a little like locating the needle in the haystack.
Of course I can just drop the source IP data, but if I am exposed I would really like to know ... :|
If anyone could help, please say so! Thanks :D
Best regards
Stian
