Author Topic: [Possible Hack] Strange Redirect when viewing CWP->Log Viewer  (Read 4167 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
[Possible Hack] Strange Redirect when viewing CWP->Log Viewer
« on: February 12, 2020, 09:00:58 AM »
I have a strange redirect when using File Management -> CWP Log Viewer.

When I select to see the error_log and the domain, my browser is redirecting me to this website: speakwithjohns.com and my antivirus is reporting it as fake support website.

I changer the browser and the same happen on other browsers.

Has anyone this problem?

Re: [Possible Hack] Strange Redirect when viewing CWP->Log Viewer
« Reply #1 on: February 12, 2020, 10:17:23 AM »
Yep: hacked!
Suggest immediately change ssh port & root/mysql passwords.
Send a high priority Ticket to CWP, to get them to investigate.

Offline
*
Re: [Possible Hack] Strange Redirect when viewing CWP->Log Viewer
« Reply #2 on: February 12, 2020, 03:10:39 PM »
Think is no hacked. I found the cause of the redirect.
I try to isolate how much lines the script is displaying and found out that only one line of code is triggering the redirect.
And this is the one:
Code: [Select]
[Sun Feb 09 22:48:01.040796 2020] [:error] [pid 9480:tid 140047038756608] [client 154.50.0.79:44746] [client 154.50.0.79] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\btype\\\\b\\\\W+?\\\\b(?:text|application)\\\\b\\\\W+?\\\\b(?:(x-)?(?:java|vb|j|ecma)script)" at ARGS_POST:wp-piwik[tracking_code]. [file "/usr/local/apache/modsecurity-cwaf/rules/07_XSS_XSS.conf"] [line "53"] [id "212320"] [rev "3"] [msg "COMODO WAF: Cross-site Scripting (XSS) Attack||jservis.si|F|2"]  [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "XXXXXXX"] [uri "/"] [unique_id "XkB@ESt3VzbPwTziNKZfhgAAABI"]

Think that this is a security warning?
What you think?
« Last Edit: February 26, 2020, 08:59:32 PM by Administrator »


Offline
****
Google Hangouts:  rcschaff82@gmail.com

Re: [Possible Hack] Strange Redirect when viewing CWP->Log Viewer
« Reply #5 on: February 12, 2020, 04:37:14 PM »
https://www.pluginvulnerabilities.com/2016/08/29/persistent-cross-site-scripting-xss-vulnerability-in-wp-piwik/
Well done @rcshaff. I couldn't be a$$ed pointing him in the right direction: another one that posts an error message without actually reading it..
Quote
ARGS_POST:wp-piwik[tracking_code]