T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/public_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/public_html/CRITICAL_ATTACKER_DETECTED.md
# 🚨 CRITICAL: ATTACKER DETECTED ACCESSING BACKDOOR

**Date:** December 12, 2025 21:32:11  
**Status:** ATTACKER IP IDENTIFIED - BACKDOOR ACCESS ATTEMPT

---

## 🚨 ATTACK DETECTED

### Log Entry Analysis:
```
198.204.236.234 - - [12/Dec/2025:21:32:11 -0500] 
"GET /445367/about.php?ac=u_h_s_1&api=&path=/home/gositeme/domains/soundstudiopro.com/private_html&t=8a802d2ce1b8d1f38a165e26c42efe97&s=3 HTTP/1.1" 
200 607844 "-" 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36..."
```

### What This Means:
**YES, THIS IS THE HACKER!** 🚨

**Attack Details:**
- **Attacker IP:** `198.204.236.234`
- **Target:** `/445367/about.php` (backdoor file manager)
- **Action:** File manager access (`ac=u_h_s_1` = file upload/host/shell)
- **Target Path:** `/home/gositeme/domains/soundstudiopro.com/private_html`
- **Response:** 200 OK (607,844 bytes) - **BACKDOOR WAS ACTIVE!**

### Attack Parameters Decoded:
- `ac=u_h_s_1` = Action code for file operations (upload/host/shell)
- `path=/home/gositeme/domains/soundstudiopro.com/private_html` = Trying to access private_html directory
- `t=8a802d2ce1b8d1f38a165e26c42efe97` = Token/session identifier
- `s=3` = Session or action type

---

## ✅ GOOD NEWS

**The backdoor file `445367/about.php` has been DELETED!**
- File no longer exists
- Attacker got 200 response because file existed at that time
- We've already cleaned up this backdoor

---

## 🚨 IMMEDIATE ACTIONS REQUIRED

### 1. BLOCK ATTACKER IP (CRITICAL)
**Add to `.htaccess` or firewall:**
```apache
# Block attacker IP
<RequireAll>
    Require all granted
    Require not ip 198.204.236.234
</RequireAll>
```

**Or via firewall:**
```bash
iptables -A INPUT -s 198.204.236.234 -j DROP
```

### 2. CHECK FOR OTHER BACKDOORS
**Search for similar patterns:**
```bash
find . -name "*.php" -exec grep -l "ac=u_h_s\|u_h_s_1" {} \;
find . -name "*about.php" -type f
find . -name "*radio.php" -type f
```

### 3. SECURE PRIVATE_HTML DIRECTORY
**Check if attacker accessed private_html:**
```bash
ls -la /home/gositeme/domains/soundstudiopro.com/private_html/
# Check for modified files
find /home/gositeme/domains/soundstudiopro.com/private_html/ -type f -mtime -1
```

### 4. CHECK ACCESS LOGS
**Find all access from this IP:**
```bash
grep "198.204.236.234" /var/log/apache2/access.log
grep "198.204.236.234" /var/log/apache2/error.log
```

### 5. CHECK FOR MODIFIED FILES
**Files modified around attack time:**
```bash
find . -type f -mtime -1 -name "*.php"
find . -type f -newermt "2025-12-12 21:30:00" -name "*.php"
```

---

## 🔍 WHAT THE ATTACKER WAS DOING

**The request shows:**
1. **File Manager Access:** `ac=u_h_s_1` is a file manager action
2. **Directory Browsing:** Trying to access `private_html` directory
3. **Large Response (607KB):** Likely got a file manager interface
4. **Active Session:** Using tokens (`t=` and `s=`) to maintain access

**This means:**
- Attacker had active access to the backdoor
- Was browsing your file system
- Could upload/download/execute files
- Had access to private_html directory

---

## 🛡️ SECURITY MEASURES

### 1. Block IP Immediately
```apache
# Add to root .htaccess
<RequireAll>
    Require all granted
    Require not ip 198.204.236.234
</RequireAll>
```

### 2. Check All Backdoor Locations
- `445367/about.php` - ✅ DELETED
- `445367/radio.php` - Check if exists
- `radio/migrations/wp-login.php` - Check if exists
- `assets/fontawesome/.../radio.php` - Check if exists

### 3. Secure Directories
```apache
# Block access to 445367 directory
<DirectoryMatch "^/445367">
    Require all denied
</DirectoryMatch>
```

### 4. Monitor for This IP
```bash
# Set up monitoring
tail -f /var/log/apache2/access.log | grep "198.204.236.234"
```

---

## 📋 CHECKLIST

- [ ] Block IP `198.204.236.234` in firewall/.htaccess
- [ ] Verify `445367/about.php` is deleted (✅ DONE)
- [ ] Check for other backdoors in `445367/` directory
- [ ] Check `private_html` directory for unauthorized access
- [ ] Review all files modified on Dec 12
- [ ] Check access logs for other suspicious activity
- [ ] Secure `445367/` directory (block access)
- [ ] Change all passwords (database, FTP, admin)
- [ ] Review file permissions
- [ ] Set up intrusion detection

---

## ⚠️ CRITICAL WARNING

**The attacker had ACTIVE ACCESS to your server:**
- Could browse files
- Could upload/download files
- Could execute commands
- Could access private_html

**You MUST:**
1. **Block the IP immediately**
2. **Check for other backdoors**
3. **Review all file modifications**
4. **Change all passwords**
5. **Secure all directories**

---

**Status:** 🚨 **CRITICAL - IMMEDIATE ACTION REQUIRED**

This is confirmed attacker activity. The backdoor is deleted, but the attacker may have created others or accessed sensitive data.

CasperSecurity Mini