Wordpress Install Compromised

Last week i got an email from the Dutch NCSC (Nationaal Cyber Security Centrum). Apparently one of the nodes i manage for a customer was part of a botnet. There were no further demands. They just informed me about the issue. Damn cool! Being part of a botnet however. Not so cool!

With the email came a small excerpt of a IRC channel log. I recognized the node. So SSH’ed into that specific node. And used netstat to check for any strange connections. A connection on port 20 to the C&C; node of the botnet. Thats not good.

$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 xxx.xxx.xxx.xx:20 69.162.80.62:20 ESTABLISHED

In the email from NCSC it was mentioned to look for files called wp-rss3.php. But a search for this file did not return any hits. Hmmm. And i still had no idea which site it concerned. Since a couple were running on this particular node. The only thing certain. It’s Wordpress related. So i started searching for recent Wordpress compromises. And found a lot of hits on Google for the timThumb and wps3slider plugins. But checking the log files for these plugins revealed nothing. And for some weird reason i just cleaned up the log partition a couple of days before. So not much luck there.

Some more Googling told me to do a search on the Wordpress installs for the PHP function base64_decode(). O well. Lets give it a try. Some suspicious files did show up instantly.

$ find . -type f -exec grep -l ‘base64_decode’ {} \;

./uploads/2010/06/wp-rss4.php source

./uploads/2011/05/alienee.php source

./plugins/wps3slider/temp/34e3a3a74f6e2d0f236bdd3ba70c0c03.php source

./plugins/wps3slider/temp/cf2cdb3ad3249b9692de07290f16f287.php encoded decoded

./plugins/wps3slider/temp/771b821c974131c67e34c83d8d2db725.php encoded decoded

./plugins/wps3slider/temp/2b3753ea4769084f2e571737b695b03a.php encoded decoded

./plugins/wps3slider/temp/7228f168d9692eafeafc54dbc3a1ab49.php encoded decoded

./plugins/wps3slider/uploads/1.php source

/var/tmp/dc.pl encoded decoded

Interesting. A quick look at the files showed that most of them were obfuscated. But not all. Two of the files were IRC bots written in PHP. At this moment i couldn’t resist but crack a little smile. But its also a reminder of how fragile the web really is. I quickly moved the files out of the way. And rebooted the machine. When it came back online i monitored all connections for a while. But the connection to the C&C; node was not restored. So i informed NCSC. And went back to bed!

The Wordpress admin should have kept the sites up to date. Lesson learned i hope! of course i could not resist to come back to it later. And so i did. I started by searching the Apache log files for wp-rss4.php. And found a couple of instances where this file was directly called. From a total of 4 different IP addresses.

69.162.80.62

This is the IP address of the C&C; server.

186.241.16.25
201.8.237.18
201.8.226.109

These IP addresses are all originating from Brasil. No further information is available at this moment. After that i started poking around the trojans / IRC bots found earlier. And as mentioned earlier. There were two bots installed on the server, One was running. The other wasn’t. This is configuration snippet from both bots.

The first bot. And the one i was informed about.

var $config = array("server"=>"antesedepois.servegame.com",^M
  "port"=>20,^M
  "pass"=>"depois",^M
  "prefix"=>"depois",^M
  "maxrand"=>8,^M
  "chan"=>"#depoiswp",^M
  "key"=>"",^M
  "modes"=>"+iB-x",^M
  "password"=>"depois",^M
  "trigger"=>".",^M
  "hostauth"=>"*" // * for any hostname^M
);

And the second one

var $config = array("server"=>"58.225.75.155",
  "port"=>9999,
  "pass"=>"",
  "prefix"=>"animal",
  "maxrand"=>8,
  "chan"=>"#animal",
  "key"=>"",
  "modes"=>"+iB-x",
  "password"=>"oishi",
  "trigger"=>".",
  "hostauth"=>"*!*@The.Black.Cat" // * for any hostname
);

Notice the ^M characters at the end. Seems like somebody is using windows. So now we have login details for two C&C; servers. Why not take a look.

  • $ ircii
  • /server antesedepois.servegame.com:20

Some standard IRC stuff

*** Connecting to port 20 of server antesedepois.servegame.com
*** Welcome to the Internet Relay Chat Network, root (from IRCPRIVATE)
*** /etc/irc/script/local V0.5 for Debian finished. Welcome to ircII.
*** If you have not already done so, please read the new user information with /HELP NEWUSER
*** Your host is IRCPRIVATE, running version 1.2.1546
*** This server was created jan 27 2012 at 06: 29:02 HodB (Serial # 00-00-00)
*** channel modes available abdefghijklmnopqrstuvwxyzACEFIKLMOPT
*** IRCX
*** There are 6 users and 362 invisible on 1 servers
*** 7 channels have been formed
*** This server has 368 clients and 0 servers connected
*** Current local users: 368 Max: 989
*** Current global users: 368 Max: 989
*** MOTD Not Present

So let’s check the channels on this thing

/list

*** Channel    Users  Topic
*** #depoiswp  360    Entrou = Ban :)
*** #grmteam   6      
*** #depoisSca 4      Entrou = Ban :)
*** #depoisSca 4      Entrou = Ban :)
*** #depoisVul 6      Entrou = Ban :)
*** #rfi       3      
*** #sql       1  

I entered all of the channels and waited for a while. But no activity took place. The only really interested channel is #depoiswp. This is the channel where all the bots connect. At the time i logged in there were about 360 of them available. I immediately recognized the log excerpt send to me by the NCSC.

*** Topic for #depoiswp: Entrou = Ban :)
*** #depoiswp SYSTEM 1327945185
(#depoiswp/#depoiswp) Entrou = Ban :)
*** [A]depois88802849 (~depois48170648@68.233.238.XX) has joined channel #depoiswp
*** #depoiswp 1327653297
*** [A]depois13436992 (~depois92951214@212.227.114.XX) has joined channel #depoiswp
*** [A]depois18833547 (~depois69088341@184.154.130.XX) has joined channel #depoiswp
*** [A]depois80116634 (~depois13242297@213.251.189.XXX) has joined channel #depoiswp
*** [A]depois31855907 (~depois23946193@82.85.28.XXX) has joined channel #depoiswp
*** [A]depois25458508 (~depois64120008@87.106.214.XX) has joined channel #depoiswp
*** [A]depois17803105 (~depois55004207@74.208.16.XX) has joined channel #depoiswp
*** [A]depois96800217 (~depois89042073@174.121.216.XXX) has joined channel #depoiswp
*** [A]depois17108432 (~depois51961332@209.68.1.XXX) has joined channel #depoiswp
*** [A]depois95432403 (~depois13925479@209.68.1.XXX) has joined channel #depoiswp
*** [A]depois96515275 (~depois10767943@195.74.38.XXX) has joined channel #depoiswp
*** [A]depois73596561 (~depois90562179@69.89.31.XXX) has joined channel #depoiswp
*** [A]depois85357227 (~depois31697723@64.191.115.XX) has joined channel #depoiswp
*** [A]depois07993697 (~depois40240585@79.96.128.XX) has joined channel #depoiswp
*** [A]depois97441253 (~depois19633359@193.189.74.XX) has joined channel #depoiswp
*** [A]depois76843389 (~depois55419325@176.9.34.XXX) has joined channel #depoiswp
*** [I]depois16679788 (~depois28004829@213.171.218.XXX) has joined channel #depoiswp
*** [A]depois88178285 (~depois05296405@74.220.215.XXX) has joined channel #depoiswp

<[A]depois16231776> [Attack Finalizado!]: 1749605 MB enviados / Pacotes enviados: 14580 MB/s
<[I]depois60130568> [Attack Finalizado!]: 75 MB enviados / Pacotes enviados: 1 MB/s
<[I]depois48664304> [Attack Finalizado!]: 75 MB enviados / Pacotes enviados: 1 MB/s
<[I]depois65415449> [Attack Finalizado!]: 75 MB enviados / Pacotes enviados: 1 MB/s
<[I]depois11325010> [Attack Finalizado!]: 75 MB enviados / Pacotes enviados: 1 MB/s
*** [A]depois40994506 (~depois72760562@79.98.28.XX) has joined channel #depoiswp
<[A]depois07568398> [Attack Finalizado!]: 2187317 MB enviados / Pacotes enviados: 18228 MB/s
<[A]depois55402758> [Attack Finalizado!]: 11425 MB enviados / Pacotes enviados: 95 MB/s
*** [A]depois03383512 (~depois52457929@74.220.215.XX) has joined channel #depoiswp
<[A]depois37064023> [Attack Finalizado!]: 1264043 MB enviados / Pacotes enviados: 10534 MB/s
<[A]depois69234369> [Attack Finalizado!]: 2205504 MB enviados / Pacotes enviados: 18379 MB/s
*** [A]depois74911768 (~depois04730096@74.220.215.XX) has joined channel #depoiswp
*** Signoff: [A]depois31575043 (Connection reset by peer)
<[I]depois17710498> [Attack Finalizado!]: 81 MB enviados / Pacotes enviados: 1 MB/s
<[I]depois28464134> [Attack Finalizado!]: 81 MB enviados / Pacotes enviados: 1 MB/s

Thats fine and all. I disconnected shortly after that. I really have no reason to be poking around there now do i ;) Besides who want to interfere with an ongoing investigation. So poking around the files a bit more didnot reveal all that information.Except for the fact that besides a IRC bot a backdoor was also installed in the form of a perl script dc.pl installed in /var/tmp. So who knows. The server might be rooted at this point.

I spend some more time on decoding the bot and trojan contents. And posted them on pastebin if you are interested. The server is going to be decommissioned soon. So i am not going to pay much more attention to it.

1.php and b2dabd0e2c42b55fabf741bcac29f857.php

Web Shell by boff

2b3753ea4769084f2e571737b695b03a.php

This file was base64 encoded but once decoded reveled to be a simple script by v0pCr3w and nob0dyCr3w to run system commands on the server. Also included was a simple upload form.

34e3a3a74f6e2d0f236bdd3ba70c0c03.php

c99 injector v1

771b821c974131c67e34c83d8d2db725.php

This script was rot13 and base64 encoded and was trying to cleanup after the hacker. And install a second back door.

7228f168d9692eafeafc54dbc3a1ab49.php and cce0a37ffc138a8908da05977639bed1.php

Again rot13 and base64 encoded.But this script contained something that looks like a control panel. The page title was ‘Hacked by Sherif #oishi @ ALLnet’

alienee.php

Still working on this one

cf2cdb3ad3249b9692de07290f16f287.php and ded3244749701c4eb5a29b959ad56736.php

These files contained a second bot that was connecting to a whole different server. Probably exploited by another crew?

dc.pl

This Perl backdoor was created by one of the IRC bot scripts. And was hiding in /var/tmp after creation.

comments powered by Disqus