![]() ![]() IIS 7.0 significantly increases Web infrastructure security. We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. Instead, they have the following message posted on their support website: Microsoft did not release a patch for vulnerability CVE-2017-7269. I decided to stop there since this is not a very sophisticated attack.įortiGuard Labs will continue to monitor and track this vulnerability and provide updates once new information becomes available.įortinet customers still using IIS 6.0 are protected with the following IPS signature: Detailed debug information was provided when I accessing a non-existing page, for example hxxp://192.144.150.188/images/aaa. ![]() The web server on this IP address is badly maintained. The IP address 192.144.150.188 belongs to a big cloud service provider in China. Based on similar examples we are regularly encounering, it is also possible that the intent of the PHP script is to download and run other riskware on the victim servers (such as cryptominers) hosted on the same fileserver/directory. So a reasonable guess is that the PHP script is responsible for distributing these malwares. But the following links serving malwares on this IP address are still accessible at the time of writing (thanks to David Maciejak for this information). I was given a “404 not found” error when I tried to access the download link. As you can see, It tries to download the payload from hxxp://192.144.150.188/images/abc/DL.php, save it as C:\Recycler\svchost.exe, and then execute it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |