Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#6791 closed Bug/Something is broken (fixed)

mx1 site compromise

Reported by: Owned by:
Priority: Urgent Component: Tech
Keywords: Cc:
Sensitive: no

Description (last modified by

We recieved an email reporting that a process on mx1 is making remote requests to another server that suggest a site on mx1 is compromised.

The snippet from the remote server's log that was provided to us is:

[Tue Jan 22 12:31:03 2013] [error] [client] script 'C:/xampp/vhosts/' not found or unable to stat

Change History (7)

comment:1 Changed 6 years ago by

  • Description modified (diff)

comment:2 Changed 6 years ago by

I'm not sure how to debug in this direction (since we don't have log files of requests going out of the server).

Some ideas...

  • Turn off apache and see if any php processes (or any suspicious looking processes) are still running
  • grep recursively for wegh.php in /tmp/ and /var/www/virtual

comment:3 Changed 6 years ago by

  • Owner set to
  • Status changed from new to assigned

Just received this hint from Alan by mail. Thanks Alan.

If it helps at all, this article explains how our server was compromised:

- Al
Alan Gilson, CISSP
Chief Technology Officer
OTC Group of Companies

I'm checking right now, based on his suggested article.

comment:4 Changed 6 years ago by

  • Sensitive set

We are still having trouble identifying the site that is responsible.

We added an iptables rule that will log all OUTPUT requests to port 80, however, there seems to be many legitimate requests.

We also found the reference to the com_jce vulnerability that seems to be the compromise of Alan's site.

We identified serveral sites using this component. I'm listing them below and marking this ticket as sensitive until they can be patched:



comment:5 Changed 6 years ago by

This sites where disabled from the vhcs control panel:


this joomla installations have the com_jce component upgraded now


Hoping this will make it.

comment:6 Changed 6 years ago by

  • Resolution set to fixed
  • Status changed from assigned to closed

I got in touch with to explain what is MFPL, need to follow up with them, perhaps they will be joining as members one of this days. Closing this ticket now

Thanks Jamie


comment:7 Changed 6 years ago by

  • Sensitive unset

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.