Hi team - I need some help!

I discovered some directories in the IFS that were not there yesterday.

We are using PHP Zend server 7 to provide a web portal for our
application.

Today I found directories in /www/zendphp7/htdocs including

Object Type Owner Size Data
amzn.zip *STMF QTMHHTTP 3145728 Yes
amznbvn *DIR QTMHHTTP 8192 Yes
hehe.php *STMF QTMHHTTP 32768 Yes
hte.php *STMF QTMHHTTP 32768 Yes
subanus *DIR QTMHHTTP 8192 Yes
us.php *STMF QTMHHTTP 16384 Yes
xcbxcb *DIR QTMHHTTP 8192 Yes


on a system.

These are in the directory /www/zendphp7/htdocs/

The authorities are as follows.

Directory /www

*PUBLIC *RWX
QSYS *RWX
QTMHHTTP *RWX

Directory /www/zendphp7
*PUBLIC *EXCLUDE
QTMHHTTP *RWX

Directory /www/zendphp7/htdocs
*PUBLIC *EXCLUDE
QTMHHTTP *RX

I found in the access_log

host-156.210.234.190-static.tedata.net - - [08/Aug/2023:00:05:33 +1000]
"GET //xcbxcb/all_result/FULLZ.HTML HTTP/1.1" 404 196 "-" "Mozilla/5.0
(X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"
156.210.190.234 - - [08/Aug/2023:00:05:35 +1000] "GET /favicon.ico
HTTP/1.1" 404 196 "
https://xxxxxxxaccounts.xxx.net.au//xcbxcb/all_result/FULLZ.HTML";
"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"

156.210.190.234 - - [08/Aug/2023:00:19:18 +1000] "GET
/hte.php?d=2f7777772f7a656e64706870372f6874646f63732f49544d41532f7863627863622
2f616c6c5f726573756c74 HTTP/1.1" 200 3371 "
https://xxxxxxxaccounts.xxx.net.au/hte.php?d=2f7777772f7a656e64706870372f6874646f63732f4954
4d41532f7863627863622f616c6c5f726573756c74" "Mozilla/5.0 (X11; Linux
x86_64; rv:109.0) Gecko/20100101 Firefox/116.0"

And a whole heap more related messages.

I have blocked address 156.210.190.234 in the firewall - but I am sure
this is not a fix.

I have deleted the files and directories that were owned by QTMHHTTP above
but I do not understand how these were installed based on QTMHHTTP not
having Write authority to the htdocs directory ?

I do not know what security changes I should be implementing or where to
get the information on how to implement these changes.

Any suggestions gratefully appreciated.

Thanks

Don


--
This email has been scanned for computer viruses. Although MSD has taken reasonable precautions to ensure no viruses are present in this email, MSD cannot accept responsibility for any loss or damage arising from the use of this email or attachments..

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.