Malicious Activity POST requests

2 posts by 2 authors in: Forums > CMS Builder
Last Post: July 28, 2017   (RSS)

By Dave - July 28, 2017

Hi zaba, 

The underlying issue is likely that a malicious user (or more likely an automated script run by a malicious user) has found a way to create files on your server.  

This happens a lot on the internet is most often caused by running popular out-of-date 3rd party software with known security vulnerabilities.  The more common a program the more likely hackers have added the exploit signature to security scanners so they automatically check for it.

Alternatively, it could just be an unescaped mysql value on a custom coded page.

Anyways, what you need to do is find the entry point.  One way to do that is check your logs for the IP of the person accessing the created file (visualblocks.php).  Since no one else would no about that file except the attacker, it should be easy to isolate their IP.  Then scan your logs for all the pages accessed by that IP and look for a possible entry point.  Several requests before visualblocks.php there would have been one where they created the file. 

One trick is to check the created/modified time on visualblocks.php.  That should match the date in the log files when the file was created and give you an idea where to look.  

Once you find the entry point you want to upgrade that script to the latest version (if it's a 3rd party script) or patch that file if it has a security vulnerability.

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com