Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Hacked / exploited Apache with Wordpress
47 views
Skip to first unread message
sbarmen
May 15, 2012, 12:34:58 PM5/15/12
to
Not sure where to turn so I try to post this question here :)
I know that my web server has been exploited and someone/somsoftware still tries to continue the exploit but my investigations on what is actually going on has come to a halt.
What I know is that the perp/software is on ip 95.65.31.32 and they are sending a HTTP POST to the root of my web site. Here is the log from Apache:
95.65.31.32 - - [15/May/2012:16:27:15 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:28:50 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:28:51 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:08 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:09 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:27 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:27 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:31:01 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:31:01 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:36:59 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
Also I have installed mod_dumpio to get more details, but the only thing I see is a data-HEAP being posted to the server and I cannot for neither love nor money understand how the posted data gets converted to an email. Here is a snippet from my dumpio:
http://pastebin.com/kZLSNP57
You can see in the end it exits ith a sendmail statement. This now fails since I have pointed my sSMTP to a relay that requires SSL and user/pw just to stop the spam from routing. I do also have a dump of one of the emails it keeps sending but I am not sure that helps.
Now I do not know what to do next. I tried decoding the POST data but keep ending up with jibberish. Seems it uploads a file of some sorts so it does not make any sense to me.
Wordpress has been upgraded to the latest version and all plugins are updated, also I updated the Apache to 2.2.22 etc. I do think I have closed all holes but still there is something going on.... I was kinda hoping to find that there was a file it kept posting to so I could remove that file, but right now it feels a little like locating the needle in the haystack.
Of course I can just drop the source IP data, but if I am exposed I would really like to know ... :|
If anyone could help, please say so! Thanks :D
Best regards
Stian
I know that my web server has been exploited and someone/somsoftware still tries to continue the exploit but my investigations on what is actually going on has come to a halt.
What I know is that the perp/software is on ip 95.65.31.32 and they are sending a HTTP POST to the root of my web site. Here is the log from Apache:
95.65.31.32 - - [15/May/2012:16:27:15 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:28:50 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:28:51 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:08 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:09 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:27 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:30:27 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:31:01 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:31:01 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
95.65.31.32 - - [15/May/2012:16:36:59 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
Also I have installed mod_dumpio to get more details, but the only thing I see is a data-HEAP being posted to the server and I cannot for neither love nor money understand how the posted data gets converted to an email. Here is a snippet from my dumpio:
http://pastebin.com/kZLSNP57
You can see in the end it exits ith a sendmail statement. This now fails since I have pointed my sSMTP to a relay that requires SSL and user/pw just to stop the spam from routing. I do also have a dump of one of the emails it keeps sending but I am not sure that helps.
Now I do not know what to do next. I tried decoding the POST data but keep ending up with jibberish. Seems it uploads a file of some sorts so it does not make any sense to me.
Wordpress has been upgraded to the latest version and all plugins are updated, also I updated the Apache to 2.2.22 etc. I do think I have closed all holes but still there is something going on.... I was kinda hoping to find that there was a file it kept posting to so I could remove that file, but right now it feels a little like locating the needle in the haystack.
Of course I can just drop the source IP data, but if I am exposed I would really like to know ... :|
If anyone could help, please say so! Thanks :D
Best regards
Stian
patpro ~ patrick proniewski
May 15, 2012, 3:29:34 PM5/15/12
to
In article
<11704401.504.1337099698856.JavaMail.geo-discussion-forums@vbep19>,
nothing. May be firewall the offending IP, if you care.
> I tried decoding the POST data but keep
> ending up with jibberish. Seems it uploads a file of some sorts so it does
> not make any sense to me.
it uploads a file (base64 encoded, so). If you decode the filename
content, you got something like this:
@eval(decrypt("16WnmNZYVZ....
this is some PHP code, hidden (I think) in a fake GIF on JPEG file so
that it can trigger a security flaw in a Wordpress module/addon, and
maybe give the hacker a door to your server.
patpro
--
A vendre : KVM IP 16 ports APC
http://patpro.net/blog/index.php/2008/01/12/133
<11704401.504.1337099698856.JavaMail.geo-discussion-forums@vbep19>,
nothing. May be firewall the offending IP, if you care.
> I tried decoding the POST data but keep
> ending up with jibberish. Seems it uploads a file of some sorts so it does
> not make any sense to me.
content, you got something like this:
@eval(decrypt("16WnmNZYVZ....
this is some PHP code, hidden (I think) in a fake GIF on JPEG file so
that it can trigger a security flaw in a Wordpress module/addon, and
maybe give the hacker a door to your server.
patpro
--
A vendre : KVM IP 16 ports APC
http://patpro.net/blog/index.php/2008/01/12/133
sbarmen
May 16, 2012, 11:15:43 AM5/16/12
to
Thank you patpro :)
I was kindof hoping to find some more evidence of the actual xploit that is used here but that seems hard?
Is there any value building together the whole data blob (base64) published?
Thanks again.
/stian
patpro ~ patrick proniewski
May 16, 2012, 3:35:53 PM5/16/12
to
In article
<27544943.1191.1337181343169.JavaMail.geo-discussion-forums@vbx14>,
full content of the filename variable. Then you base64-decode it. It
often gives some PHP script.
In general, the php script is a simple
exec(decode-function('obfuscated-php-script'));
I've seen recently an attack attempt on my server. The hacker tried to
exploit a module of a WordPress theme to upload a fake GIF file. The
payload was a +8800 characters obfuscated php script. Sample:
$o="base-64-encoded-content";eval(base64_decode("base-64-encoded-content"
));return;?>
$o is a very long obfuscated php script
a decoding php script is created by the 'eval' command, and it finally
executes a complex php script (decoded from $o) to create an IRC bot
that connects to an IRC channel and waits for commands.
I've seen another obfuscated script, that once executed gives the hacker
a full featured web interface to execute commands on the server. It was
hidden in 9 ou 10 levels of exec(decode(obfuscated-php));
screen capture here: http://patpro.net/~patpro/interface.png
> Is there any value building together the whole data blob (base64) published?
only for your own pleasure :)
That's a good opportunity to train and acquire few skills. For starters:
http protocol, php (de)obfuscation, web site common vulnerabilities,
apache and php security, and if you want to go further, you will want to
play with tcpdump, audit tools (openbsm, ktrace/strace/dtrace,
truss/dtruss, lsof...) or other tools available on your system or server.
To test, and play with the IRC bot script, I've created a dedicated
FreeBSD virtual machine on my VMWare Fusion, and launched the php script
using the php command line. I've hocked ktrace for local and IO audit,
and tcpdump to monitor the IP traffic.
<27544943.1191.1337181343169.JavaMail.geo-discussion-forums@vbx14>,
sbarmen <st...@barmen.nu> wrote:
> Thank you patpro :)
>
> I was kindof hoping to find some more evidence of the actual xploit that is
> used here but that seems hard?
that's not hard. You just need to get the full POST content, isolate the
> Thank you patpro :)
>
> I was kindof hoping to find some more evidence of the actual xploit that is
> used here but that seems hard?
full content of the filename variable. Then you base64-decode it. It
often gives some PHP script.
In general, the php script is a simple
exec(decode-function('obfuscated-php-script'));
I've seen recently an attack attempt on my server. The hacker tried to
exploit a module of a WordPress theme to upload a fake GIF file. The
payload was a +8800 characters obfuscated php script. Sample:
$o="base-64-encoded-content";eval(base64_decode("base-64-encoded-content"
));return;?>
$o is a very long obfuscated php script
a decoding php script is created by the 'eval' command, and it finally
executes a complex php script (decoded from $o) to create an IRC bot
that connects to an IRC channel and waits for commands.
I've seen another obfuscated script, that once executed gives the hacker
a full featured web interface to execute commands on the server. It was
hidden in 9 ou 10 levels of exec(decode(obfuscated-php));
screen capture here: http://patpro.net/~patpro/interface.png
> Is there any value building together the whole data blob (base64) published?
That's a good opportunity to train and acquire few skills. For starters:
http protocol, php (de)obfuscation, web site common vulnerabilities,
apache and php security, and if you want to go further, you will want to
play with tcpdump, audit tools (openbsm, ktrace/strace/dtrace,
truss/dtruss, lsof...) or other tools available on your system or server.
To test, and play with the IRC bot script, I've created a dedicated
FreeBSD virtual machine on my VMWare Fusion, and launched the php script
using the php command line. I've hocked ktrace for local and IO audit,
and tcpdump to monitor the IP traffic.
0 new messages