Is there a hole in the version phpwcms-1.9.0-rc.2 ???

[Chaffinch<]

I have a problem, with a bot Yahoo! Slurp IP: 68.180.230.155 / 68.180.230.189
1) This bot on my server overwrites file index.php through line of code:
require( dirname( __FILE__ ) .'/confings.php' );
2) creates a file named: confings.php
3) creates a directory named: bak
4) creates a file named: suffix.txt
it contains an entry: .aBF or .HsC differently

Example of operation:

Code: Select all

68.180.230.155 - - [28/Dec/2017:09:49:45 +0100] "GET /kZCVisX/LAJ.aBF HTTP/1.1" 200 28432 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 376 28641 justin 4 2 0 0
68.180.230.155 - - [28/Dec/2017:09:50:00 +0100] "GET /MK-m/j/Uqk9bsm4jP/by1-OTkzb-weVZ.HsC HTTP/1.1" 200 26325 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 397 26534 justin 4 5 0 0
68.180.230.155 - - [28/Dec/2017:09:50:02 +0100] "GET /mT3L3-1zS HTTP/1.1" 200 28546 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 370 28755 justin 4 2 0 0
68.180.230.155 - - [28/Dec/2017:09:50:04 +0100] "GET /ZRVMjyG8-x2e2U_GD9YD9/5Sy HTTP/1.1" 200 43698 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 386 43907 justin 4 2 0 0
68.180.230.155 - - [28/Dec/2017:09:50:05 +0100] "GET /BydS3Lf6-UyWfDJ1Iu7Er1s4jH.HsC HTTP/1.1" 200 23552 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 391 23761 justin 4 1 0 0
68.180.230.155 - - [28/Dec/2017:09:50:08 +0100] "GET /ZkohG.HsC HTTP/1.1" 200 27460 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 370 27669 justin 2 6 0 0
68.180.230.155 - - [28/Dec/2017:09:50:16 +0100] "GET /6jMgEBX7/YQWm16rTdlwfPv5Lr5a3Q.aBF HTTP/1.1" 200 32112 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 395 32321 justin 1 4 0 0
68.180.230.155 - - [28/Dec/2017:09:50:20 +0100] "GET /4XaROnjeiAToiiYJC.aBF HTTP/1.1" 200 30335 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 382 30544 justin 2 5 0 0
68.180.230.155 - - [28/Dec/2017:09:50:23 +0100] "GET /KZ5pBc4cVzpMotW4IKFR_hEDF5y.aBF HTTP/1.1" 200 94442 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 392 94652 justin 4 1 0 0
68.180.230.155 - - [28/Dec/2017:09:50:24 +0100] "GET /l3F6Z2iFy/0bBypZ4UiPsP84wKKGDjj HTTP/1.1" 200 23284 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 392 23493 justin 3 2 0 0
68.180.230.155 - - [28/Dec/2017:09:50:24 +0100] "GET /QYFwSLV66j188B8A6jGCKST/.aBF HTTP/1.1" 200 31090 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 389 31300 justin 13 13 0 0
68.180.230.155 - - [28/Dec/2017:09:50:29 +0100] "GET /tDOWl0YIFvnA.aBF HTTP/1.1" 200 39029 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 377 39238 justin 1 5 0 0
68.180.230.155 - - [28/Dec/2017:09:50:29 +0100] "GET /exNqXCzTAlyFleXNPn4jBlPFMxj-I.aBF HTTP/1.1" 200 21253 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 394 21462 justin 2 3 0 0

The question is this:
How to effectively protect a script from overwriting and creating files, directories

During one stay,can on the server take 500/600 Mb area.
I am asking for constructive suggestions
Regards
Bogdan

[Oliver Georgi]

I would say there is no whole – otherwise more people should see this behaviour. Maybe something else on your server is insecure. Third party scripts, extensions, access data leaked…

[Chaffinch<]

I asked a question, because I have no concept.
OK slowly.
1) I do not accuse anyone of anything
I have a problem and I can not solve it.

When updating, to the last version phpwcms-1.9.0-rc.2
everything has been removed from the server, except:
../filearchive
../filearchive/can_be_deleted/
../content/images/

I made a fresh installation.
from the database copy, I imported tables:
phpwcms_article
phpwcms_articlecat
phpwcms_articlecontent
phpwcms_categories
phpwcms_file
That's all.


Currently, I changed in conf.inc.php line 76 to:

$phpwcms['BOTS'] = array('googlebot', 'msnbot', 'bingbot', 'ia_archiver', 'altavista'); //don't start session
Despite the change index.php -> CHMOD 640
the file has been overwritten.
I'm in shock.
So I ask a simple question.
My hosting provider,says that:
There was no hacking on the server, and POSSIBILITY such action ,it can be on the side of the script.
I am looking for a cure for this disease.
On the server, there is only phpwcms
PHP Version 5.6.30
Linux 23113.xxxx 4.1.42.core2.100 #1 SMP Mon Jul 3 07:15:20 CEST 2017 x86_64
Apache 2.0 Handler

[Oliver Georgi]

Really hard to say where there might step in.

If you have the web server protocol you should see when they have hit the system for the first time with what target.

Why changing the bots config? The default one handles most known.

I know from other injected installations where user’s systems were infected and each time they opened an FTP connection something was kind of side-loaded.

At the moment I have no clue or idea.

Additionally I would change all FTP and other account config and passwords on that system. Check your local system, then cleanup the account.

[Chaffinch<]

OKAY.
I compare the file by file!
It's possible that, is glued ... -:)
I'll look for, I'll see.
So many years I had peace echh.... -:(
Guten Rutsch ins Neue Jahr / Happy New Year
For you, and forum users
Best Regards
Bogdan