Anestis Bechtsoudis » timthumb http://bechtsoudis.com Driven by Passion for Challenges Tue, 01 Jul 2014 12:30:55 +0000 en-US hourly 1 http://wordpress.org/?v=3.9.2 Revealing Blackhat Web Shell Choices http://bechtsoudis.com/2012/03/28/revealing-blackhat-web-shell-choices/#utm_source=rss&utm_medium=rss&utm_campaign=revealing-blackhat-web-shell-choices http://bechtsoudis.com/2012/03/28/revealing-blackhat-web-shell-choices/#comments Wed, 28 Mar 2012 18:02:18 +0000 http://bechtsoudis.com/?p=1278 Recently I received a call from a friend to inspect a web server attack incident. It was nothing more than a trivial web hacking case with an uploaded web shell and some proxy tools running under apache user. The disappointing part was that the entry point for the attacker was a WordPress setup hosted in the server which was vulnerable to the famous TimThumb Remote File Inclusion vulnerability. I considered it unthinkable (till that case) that there still exist hosts vulnerable to the Timthumb exploit after all this fame the last months. So I decided to conduct a further investigation to see if there still exist active bots seeking for vulnerable Timthumb versions in WordPress installations.

Knowing how the vulnerability is exploited it was easy to perform some simple regex searches in the NIDS alert databases and web log servers in order to obtain data for my analysis. Input has been gathered from production web servers and NIDS sensors running on the academic network infrastructure at work. The analysis processed evidence data from the past three months (1st January 2012 – 28th March 2012).

The first stage was to enumerate the RFI URL paths involved in the exploitation attempts from infected hosts. Full URL list is available at the download section in the end of the post.

Continuing the analysis, the URL list was accessed by a crawling script in order to separate alive and dead links. The original Timthumb script makes a GET request to the given URL with empty User-Agent and Referrer URL header fields. To avoid any protection settings in the malicious server hosts, the crawl script uses the curl tool with the correct arguments simulating the exact same behavior of the Timthumb script. The script has been run from a honeypot node and the output is as following:

root@honey2:~# ./url_inspect.sh rfi_urls.txt evidence/
[*] Checking URL status
-{ ERR }- http://img.youtube.com.ignorelist.com:55000/.google/byroe.php
-{ ERR }- http://img.youtube.com.ignorelist.com:55000/.google/wpengine.php
-{ 404 }- http://picasa.combo.opsetconsulting.com/byroe.php
-{ ERR }- http://blogger.com.autismactivism.org/get.php
-{ 404 }- http://blogger.com.herzelconsultores.com.ar/shell.php
-{ ERR }- http://blogger.com.mesco.com.vn/login.php
-{ 404 }- http://blogger.com.nilgirisrealty.com/cok.php
-{ 200 }- http://blogger.com.omahastorm.org/jek.php
-{ 200 }- http://blogger.com.pinkfc.com/thumb/id.php
-{ 200 }- http://blogger.com.pinkfc.com/thumb/jef.php
-{ 200 }- http://blogger.com.textrock.com/xcyb.php
-{ 200 }- http://blogger.community.thermomixphils.com/2.php
-{ 404 }- http://flickr.com.bpmohio.com/byroe_cpf.php
-{ 403 }- http://flickr.com.fashionandbeautyonline.cl/.stun.php
-{ 403 }- http://img.youtube.com.fashionandbeautyonline.cl/nxs.php
-{ ERR }- http://img.youtube.com.novedadesmarta.es/telek.php
-{ 404 }- http://picasa.com.afina.ro/bogel.php
-{ 200 }- http://picasa.com.dv9.demopm.com/crash.php
-{ 302 }- http://picasa.com.jcibuenosaires.com.ar/2.php
-{ 403 }- http://picasa.com.medo.ro/pilat.php
-{ ERR }- http://picasa.com.oeildupirate.com/yahoo.php
-{ ERR }- http://picasa.com.richcityidol.com/yahoo.php
-{ ERR }- http://picasa.com.supremovestibulares.com.br/yahoo.php
-{ 404 }- http://picasa.com.yourfashionchic.it/idlink.php
-{ 200 }- http://picasa.communication.mpgallery.info/2.php
-{ 200 }- http://wordpress.com.junglerumblepartyvenue.co.za/index.php
-{ ERR }- http://wordpress.com.usurnsonline.com/new.php
-{ 500 }- http://wordpress.company.travelagencymanila.com/2.php

[*] 'Alive' links will be downloaded for further inspection

So 8 out of 28 URLs are still active containing Timthumb exploitation PHP code. For further inspection the PHP source codes have been downloaded locally. Blackhats behind the PHP sources have used known obfuscation methods (rot13, gunzip, base64 etc) to hide their code. Some of them made some really insane choices by looping obfuscation functions for even 50 times. Consequently some obfuscation unroll scripts have been written to reveal the original PHP code.

The following 5 web shells have been identified:

  1. ANASKI PHP BOT Script  (1 hits)
  2. r57 { KingDefacer 2.0.20 re-coded } (1 hits)
  3. c99 { s4l1ty re-coded } (1 hits)
  4. E-ZiNe Shell (2 hits)
  5. Unknown (3 hits)

What surprised me was the functionality and appearance details in almost all the discovered web shells, resulting in big noise at various system and network logs. None of the web shells care to operate in a stealth way exposing itself instantly to a decent sysadmin who monitors the web server appropriately.

 

Conclusions

The analysis revealed 28% alive bot activity with ~3.000 exploit attempts regarding the Timthumb vulnerability from January 1st 2012 to March 28th 2012 in the academic network. Numbers indicate that after 8 months (vulnerability disclosured at August 3rd 2011) botnet operators are still seeking for vulnerable WordPress installations. Such a number possibly indicates that there are still many vulnerable setups out there.

 

Download Evidence

Be very careful while processing the following data as it might harm your systems if not used properly. Run your tests in virtual machines or sandbox environments and do not hit the malicious URL from critical source IP addresses.

 

PS: Local authority CERT has been informed about the occurred incidents.
PS2: Regularly updated list with all the gathered RFI URLs from monitor sensors is available here.

 

 

A. Bechtsoudis

]]> http://bechtsoudis.com/2012/03/28/revealing-blackhat-web-shell-choices/feed/ 2