0

I have an encoded ioncube script that's been working for one year and I update it frequently, but recently I found my site is not loading and I have the below logs in apache error_logs:

[Mon Oct 24 22:40:56.679184 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] *   Trying IPV4.OF.NEXT.LINE.SITE:80..., referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.680755 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] * Connected to notification.somesite.com (IPV4.OF.NEXT.LINE.SITE) port 80 (#0), referer: https://support.mywebsite.com 
[Mon Oct 24 22:40:56.680858 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] > GET /price/moneyPrice.php HTTP/1.1\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.681026 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Host: notification.somesite.com\r, referer: https://support.mywebsite.com 
[Mon Oct 24 22:40:56.681403 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.681569 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Accept: */*\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.681691 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] \r, referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.682755 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] * , referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.682947 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Mark bundle as not supporting multiuse, referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.683110 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.683272 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] HTTP/1.1 200 OK\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.683385 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.683904 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Date: Mon, 24 Oct 2022 19:10:47 GMT\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.684081 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.684264 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Content-Type: application/json\r, referer: https://support.mywebsite.com 
[Mon Oct 24 22:40:56.684460 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.684662 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Vary: Accept-Encoding\r, referer: https://support.mywebsite.com  
[Mon Oct 24 22:40:56.684778 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.684887 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Age: 9\r, referer: https://support.mywebsite.com 
[Mon Oct 24 22:40:56.685075 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com   
[Mon Oct 24 22:40:56.685249 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] via: Columbus-0.1-af5-g1\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.685357 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.685494 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Server: HayoolaServe\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.685644 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.685783 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Transfer-Encoding: chunked\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.685889 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.686060 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Connection: keep-alive\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.686175 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.686304 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] Accept-Ranges: bytes\r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.686425 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] < , referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.686547 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] \r, referer: https://support.mywebsite.com
[Mon Oct 24 22:40:56.686694 2022] [:error] [pid 2787778:tid 23404119791360] [client CLIENTS.IPv4:48882] * , referer: https://support.mywebsite.com

I checked all files and none of them are touched recently.

I also checked index.php and login.php files and see nothing expect the original contents. The website it's trying to telnet and connect is not mine and I do not know that.

I also added notification.site to /etc/hosts with 127.0.0.1 and also 192.168.1.1 to deny the requests, but it still takes time to load.

I also added the site's IP to firewall blacklist both incoming and outgoing, but no changes happened.

I also did replace all files again, but I when I click on login button or try to load my support site, it takes much time to load and no any other errors exist in any files.

Do you help me how to find which file is probably malicious? I do have root access.

The OS is CentOS 7.

Improve this question
5
  • Those logs look like pretty typical http connection like you might get from curl rather than telnet, so maybe some webservice is failing. You did not include the actual error portion of it though, so it's hard to tell. May be time to wipe and reinstall the OS though if it looks like traffic is being redirected to an unknown third-party
    – Cpt.Whale
    Commented Oct 24, 2022 at 19:48
  • @Cpt.Whale that's the all error, that's not a portion of it. Also I know the modules I installed and the web services the script uses, and that IP and website are not it uses.
    – Saeed
    Commented Oct 24, 2022 at 19:52
  • Where is it saying that telnet is involved ? I am not able to see it in the logs. Is this yours https://support.mywebsite.com ? Check the access log too. Was the latest update to ioncube buggy ? Check by going back to Previous version.
    – Prem
    Commented Oct 24, 2022 at 19:53
  • @Prem I presumed it's like telnet logs, maybe I'm wrong. Yes, that's the error when I visit support.mywebsite.com. Access log has nothing to mention, just my logs to the server. Yes, ioncube is updated. I reverted it back to previous versions but nothing changed.
    – Saeed
    Commented Oct 24, 2022 at 20:20
  • @Prem no the last update of ioncube was successful with no errors
    – Saeed
    Commented Oct 24, 2022 at 20:36

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .