Script URL: service.buehler.com
Version of script: 2.7.5
Hosting company: SoftSys Hosting
URL of phpinfo.php: N/A
URL of session_test.php: N/A
What terms did you try when SEARCHING for a solution: Malware, attachments, print.scr
Write your message below:
I've recently been having an issue with someone having the ability to upload print.scr via an attachement, based on server logs they are gaining access by submitting a ticket. Steps I've taken so far:
-I've limited attachments to only (.gif,.jpg,.png,.doc,.docx,.xls,.xlsx,.txt,.pdf,.jpeg)
-Confirmed that I cannot submit an unapproved file type
-The only writeable files are the attachments, cache, and settings file is uploaded
Steps taken after the attack:
-Changed attachment folder name
-Verified all security permissions within IIS and Windows Server are correct
-I'm tempted to remove write access from settings.php and limiting myself to only changing it via the local server environment.
Is there anything known right now that can be an issue? Anything which I am forgetting?
Edit: My hosting company was able to identify how they got in, via IIS FTP service; it seems Microsoft has a vulnerability to fix.
The IP address for everyone to block is 91.185.42.76
Thanks,
Tom
Malware Upload
Moderator: mkoch227
Re: Malware Upload
There are no known security issues in Hesk.
Note that it probably is not an IIS bug, but a stolen FTP password. I would advise changing all your passwords and scanning your computers with up to date anti-virus software as some trojans are known for stealing FTP passwords.
I thought that might be the case. I've seen it happen before many times and the malware then tries to hide itself within other files/scripts on the server to mislead researchers into the actual source of entry.prostar190fan wrote: Wed Nov 29, 2017 2:46 amEdit: My hosting company was able to identify how they got in, via IIS FTP service; it seems Microsoft has a vulnerability to fix.
Note that it probably is not an IIS bug, but a stolen FTP password. I would advise changing all your passwords and scanning your computers with up to date anti-virus software as some trojans are known for stealing FTP passwords.
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here 
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
-
prostar190fan
- Posts: 17
- Joined: Mon Oct 30, 2017 8:35 pm
Re: Malware Upload
Thank's Klemen for your response, passwords have all been changed and another 4 characters added to everything. This is the first time that I've seen malware specifically target only the inetpub/wwwroot folder.
Every other attack I've seen has been files and junk everywhere
-Tom
Every other attack I've seen has been files and junk everywhere
-Tom