My website is being attacked a couple weeks ago. Fortunately, I have the antivirus that intercepted and prevented anything might cause. However, I really want to figure it out and maybe get it fixed asap.

OctoberCMS v1.1.9

1. My antivirus notified the virus detection as below. And the uploaded malicious /tmp/phpb7yli file was immediately quarantined when it was still in the php tmp folder.

Backdoor.Java.WEBSHELL.SMC

2. I've traced down to the Apache access_log file, and I believed it was this request from a suspect ip address. However, I have no idea about this route, it should be 404 response instead of 500. I've tested myself and confirmed it IS 404.

[23/Jan/2022:14:41:50 +0800] "POST /defaultroot/upload/fileUpload.controller HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"

3. The following error is from the Apache error_log file at the the same. And I think this "file not found" error is because the malicious /tmp/phpb7y1i1 was quarantined by the antivirus.

PHP Fatal error: Uncaught Symfony\Component\HttpFoundation\File\Exception\FileNotFoundException: The file "/tmp/phpb7y1i1" does not exist in /home/www/htdocs/thesite/vendor/symfony/http-foundation/File/File.php:36\nStack trace:\n#0 /home/www/htdocs/thesite/vendor/symfony/http-foundation/File/UploadedFile.php(77): Symfony\Component\HttpFoundation\File\File->construct('/tmp/phpb7y1i1', true)\n#1 /home/www/htdocs/thesite/vendor/symfony/http-foundation/FileBag.php(86): Symfony\Component\HttpFoundation\File\UploadedFile->construct('/tmp/phpb7y1i1', 'aa.jsp', 'application/oct...', 0, false)\n#2 /home/www/htdocs/thesite/vendor/symfony/http-foundation/FileBag.php(52): Symfony\Component\HttpFoundation\FileBag->convertFileInformation(Array)\n#3 /home/www/htdocs/thesite/vendor/symfony/http-foundation/FileBag.php(61): Symfony\Component\HttpFoundation\FileBag->set('file', Array)\n#4 /home/www/htdocs/thesite/vendor/symfony/http-foundation/FileBag.php(40): Symfony\Component\HttpFoundation\FileBag->add(Array)\n#5 /home/www/htd in /home/www/htdocs/thesite/vendor/symfony/http-foundation/File/File.php on line 36

My question is how is this malicious file uploaded from the unknown endpoint which doesn't exist at all?

Last updated 2 years ago

OK, guys. I've figured it out. It turns out to be the PHP upload mechanism.

When a client make a http post request to ANY url using form-data to send a file to the server, php stores this file in the temporary directory. For example: /tmp/phpb7yli. The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed. This is by design.

The problem was simply because the antivirus detected the malicious temporary file and got it quarantined immediately. That's basically what happened and for your reference.

Last updated 2 years ago

Thanks for the update. Glad to hear you got it sorted!