Jump to content

 

brightlaunch

Member Since 24 Apr 2013
Offline Last Active Jun 13 2014 06:00 PM
-----

Posts I've Made

In Topic: Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2

06 June 2014 - 12:04 PM

Kinda looking like images/tmp.gif is the repository for the data. Have you had a look or decoded it? Appears to be a different signature so could be different attack, but still requires the admin url to have been compromised. So this is a much earlier event (like a month).


It's a snapshot of the /images/ directory permissions and files

In Topic: Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2

06 June 2014 - 12:03 AM

@tbirnseth - Will PM you with details. Here's the relevant section of the log:

202.153.65.76 - - [23/Apr/2014:11:42:18 -0500] "GET /admincp.php?version HTTP/1.1" 200 42 "-" "-"
202.153.65.76 - - [23/Apr/2014:11:42:26 -0500] "POST /admincp.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 200 259 "-" "-"
202.153.65.76 - - [23/Apr/2014:11:42:33 -0500] "GET /images/tmp.gif HTTP/1.1" 404 1772 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:29:11 -0500] "GET /admincp.php?version HTTP/1.1" 200 42 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:29:18 -0500] "POST /admincp.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 200 259 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:29:24 -0500] "GET /images/tmp.gif HTTP/1.1" 404 1772 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:34:21 -0500] "GET /admincp.php?version HTTP/1.1" 200 42 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:34:27 -0500] "POST /admincp.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 200 259 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:34:34 -0500] "GET /images/tmp.gif HTTP/1.1" 404 1772 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:45:46 -0500] "GET /admincp.php?version HTTP/1.1" 200 42 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:45:52 -0500] "POST /admincp.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 200 259 "-" "-"
202.153.65.76 - - [23/Apr/2014:12:45:59 -0500] "GET /images/tmp.gif HTTP/1.1" 404 1772 "-" "-"
202.153.65.76 - - [24/Apr/2014:03:06:09 -0500] "GET /admincp.php?version HTTP/1.1" 200 42 "-" "-"
202.153.65.76 - - [24/Apr/2014:03:06:15 -0500] "POST /admincp.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 200 259 "-" "-"
202.153.65.76 - - [24/Apr/2014:03:06:21 -0500] "GET /images/tmp.gif HTTP/1.1" 200 4454 "-" "-"
202.153.65.76 - - [24/Apr/2014:03:31:59 -0500] "GET /admincp.php?version HTTP/1.1" 200 42 "-" "-"
202.153.65.76 - - [24/Apr/2014:03:32:06 -0500] "POST /admincp.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 200 259 "-" "-"
202.153.65.76 - - [24/Apr/2014:03:32:12 -0500] "GET /images/tmp.gif HTTP/1.1" 200 4454 "-" "-"
202.153.65.76 - - [24/Apr/2014:03:32:19 -0500] "GET /images/default.thumb.php HTTP/1.1" 200 52663 "-" "-"
202.153.65.76 - - [24/Apr/2014:03:46:21 -0500] "GET /images/default.thumb.php HTTP/1.1" 200 52663 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Iron/28.0.1550.0 Chrome/28.0.1550.0 Safari/537.36"
202.153.65.76 - - [24/Apr/2014:03:46:24 -0500] "GET /favicon.ico HTTP/1.1" 404 1772 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Iron/28.0.1550.0 Chrome/28.0.1550.0 Safari/537.36"


83.150.87.81 - - [28/Apr/2014:09:01:35 -0500] "POST /images/default.thumb.php HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:36 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:37 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:38 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:40 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:41 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:42 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:43 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:44 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:45 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:46 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:47 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:48 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:49 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:50 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:51 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:52 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:54 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:55 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:56 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"
83.150.87.81 - - [28/Apr/2014:09:01:57 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"

In Topic: Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2

05 June 2014 - 09:25 PM

@tbirnseth: Searched log files from the last 6 months for /admincp.php?dispatch=payment_notification.results&payment=atos and then manually inspected each instance. Wasn't too difficult to spot.

In Topic: Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2

05 June 2014 - 05:13 PM

Update... we found a shell script on a client site in /images/default.thumb.php

It was placed there on April 23, 2014 from 202.153.65.76 using the ATOS vector of attack /admincp.php?dispatch=payment_notification.results&payment=atos

Then I see an attack from 83.150.87.81 on April 28:
83.150.87.81 - - [28/Apr/2014:09:01:36 -0500] "POST /mod_sec.html HTTP/1.1" 302 197 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1550.0 Safari/537.36"

In Topic: Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2

30 May 2014 - 02:05 PM

How do you reset passwords for all customers?