Malware Upload
Posted: Wed Nov 29, 2017 2:46 am
Script URL: service.buehler.com
Version of script: 2.7.5
Hosting company: SoftSys Hosting
URL of phpinfo.php: N/A
URL of session_test.php: N/A
What terms did you try when SEARCHING for a solution: Malware, attachments, print.scr
Write your message below:
I've recently been having an issue with someone having the ability to upload print.scr via an attachement, based on server logs they are gaining access by submitting a ticket. Steps I've taken so far:
-I've limited attachments to only (.gif,.jpg,.png,.doc,.docx,.xls,.xlsx,.txt,.pdf,.jpeg)
-Confirmed that I cannot submit an unapproved file type
-The only writeable files are the attachments, cache, and settings file is uploaded
Steps taken after the attack:
-Changed attachment folder name
-Verified all security permissions within IIS and Windows Server are correct
-I'm tempted to remove write access from settings.php and limiting myself to only changing it via the local server environment.
Is there anything known right now that can be an issue? Anything which I am forgetting?
Edit: My hosting company was able to identify how they got in, via IIS FTP service; it seems Microsoft has a vulnerability to fix.
The IP address for everyone to block is 91.185.42.76
Thanks,
Tom
Version of script: 2.7.5
Hosting company: SoftSys Hosting
URL of phpinfo.php: N/A
URL of session_test.php: N/A
What terms did you try when SEARCHING for a solution: Malware, attachments, print.scr
Write your message below:
I've recently been having an issue with someone having the ability to upload print.scr via an attachement, based on server logs they are gaining access by submitting a ticket. Steps I've taken so far:
-I've limited attachments to only (.gif,.jpg,.png,.doc,.docx,.xls,.xlsx,.txt,.pdf,.jpeg)
-Confirmed that I cannot submit an unapproved file type
-The only writeable files are the attachments, cache, and settings file is uploaded
Steps taken after the attack:
-Changed attachment folder name
-Verified all security permissions within IIS and Windows Server are correct
-I'm tempted to remove write access from settings.php and limiting myself to only changing it via the local server environment.
Is there anything known right now that can be an issue? Anything which I am forgetting?
Edit: My hosting company was able to identify how they got in, via IIS FTP service; it seems Microsoft has a vulnerability to fix.
The IP address for everyone to block is 91.185.42.76
Thanks,
Tom
