Results 1 to 5 of 5
  1. #1
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948

    Failed Directory Traversal Access Attempt in Client WHMCS Access Logs

    This snippet was sent over to me by a client this evening who is running a current, patched WHMCS instance. I don't know much more about what's been changed recently as I'm still waiting back on the green-light to access their VM. The only other details they left in their ticket, was that they aren't running the VTiger CRM but they also claim the activity is new. I haven't come across any other instances of this elsewhere. Has this been seen by anyone else? I suppose I'm on heightened alert with WHMCS oddities so I figured it wouldn't hurt to check while I'm waiting. Any chance this is a one time thing? FF 3.0 (DE) agent string? I just wonder what someone's poking around for as a whole...


    PHP Code:
    190.145.23.28 - - [14/Oct/2013:18:25:58 -0700"GET /vtigercrm/graph.php?current_language=../../../../../../../..//etc/elastix.conf%00&module=Accounts&action HTTP/1.1" 404 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0" 
    Last edited by Technolojesus; 10-14-2013 at 11:53 PM.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Doesn't look like its WHMCS related at all, but instead some kind of automated scanning.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Apr 2005
    Posts
    1,711
    Looks like a random exploit bot looking for vulnerable vTiger installs. Specifically, it looks like they're trying to exploit a LFI (Local File Inclusion) vulnerability in the 'current_language' param of graph.php. It also looks like the exploit didn't work because there's no vTiger. This is a very old exploit too (http://www.osvdb.org/show/osvdb/69384)
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  4. #4
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Odd. That's quite interesting to see such an old exploit. Should be a fun audit in the morning. Thanks for the input everyone.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  5. #5
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Indeed this looks like it's very old and likely from a scanner, if you look at the log too it didn't work as they got a 404.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

Similar Threads

  1. WHMCS Issue: Giving access to certain client groups..HELP!
    By amaZe in forum Hosting Software and Control Panels
    Replies: 2
    Last Post: 08-15-2010, 11:09 AM
  2. access logs and errors logs
    By sint in forum Hosting Security and Technology
    Replies: 1
    Last Post: 07-25-2007, 10:16 AM
  3. Script to copy raw access logs to public_html/logs
    By jdk in forum Programming Discussion
    Replies: 0
    Last Post: 05-18-2005, 01:40 AM
  4. Replies: 4
    Last Post: 02-09-2003, 03:17 PM
  5. how to dynamic set up the access control to some specify directory as ISP for client.
    By zhu1230 in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 02-09-2003, 12:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •