As if on queue, almost 7 days since we released the post about the latest W3TC and WP Super Cache remote command execution vulnerability, we have started to see attacks spring up across our network.
In our post you might remember this:
<!-mfunc echo PHP_VERSION; -><!-/mfunc->
In this example we explained how it was a very simple approach to displaying the version of PHP on your server. There were a lot of questions following that saying, well what’s so harmful in that. Etc. With little help from us the attackers go on to show us what they can do.
Taking a Look at the Attacks
In this section I’ll show you three of the various attacks we’re seeing. In each you can see how they abuse the mfunc vulnerability, one in a more traditional approach of injecting a backdoor and other in a more creative way that allows them to abuse HTTP headers. In either case they all seem to be getting passed via comments, and we give an example of that below. This is obviously for educational purposes only.
Example One – Targeting HTTP Headers
So in this example we see them abusing the mfunc vulnerability to pass shell commands via the HTTP headers in the place of the URL itself.
In this instance they are attacking your site while leaving very little trace, for instance they can do things like:
HTTP_CMD: Base64 encode of the backdoor/code they want to run
And it works with GET. Here is a better explanation if you’re not following:
A normal header would look something like this:
Connected to site.com (IP) port 80 (#0)GET / HTTP/1.1User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5Host: blog.sucuri.netAccept: */*
With this attack it’d look something like this:
Connected to site.com (IP) port 80 (#0)GET / HTTP/1.1User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5Host: blog.sucuri.netHTTP_CMD: Base64 encode of the backdoor/code they want to runAccept: */*
Most folks would never even log that, so forensically speaking it’d be hard to know they were attacking this way.
Example Two – Passing a Backdoor
So in this example they misuse the mfunc and use it to pass a backdoor into your server. Not nice at all.
In this case it looks a bit worse, but when you decode it, it’s a lot easier to understand, her it is decoded:
Do you see what they’re doing? How they’re passing basic PHP commands to your server? Look here:
fopenfputsevalbase64_decodefclose
They’re using basic PHP functions against you. They use the fopen to open a new file called maeksv.php. They then inject the payload into that file using puts, they encode it, and proceed to close the file. If you look at the payload that was dropped into that file you find something like this:
Don’t worry, a little fine tuning and you see it’s real intention here:
Using this the attacker can now do something like this:
http://goodsitebeingexploited/wp-content/cache/dcfay.php?jebfvlg=
Example Three – Embedded with Comments
We know that these are occurring via comments but it’s always fun to see the things they say, like this for instance:
Or even this:
So in these scenarios they are leaving you what appear to be legitimate, yet silly, comments. If you’re none the wiser that’s all you’d see, approve and be on your way.
Where are they Coming From
Well, here are some of the IPs we’re picking up via our network:
188.142.107.174122.72.12.9091.224.160.10491.224.160.104119.36.87.3292.126.217.4774.91.17.3558.23.3.190220.255.1.77220.255.1.44220.255.1.3195.154.243.1191.224.160.104201.59.55.142201.249.21.35119.36.87.32125.67.234.251177.12.227.1377.175.95.163190.205.16.152109.123.111.99211.138.151.117183.63.27.14584.39.28.15891.224.160.10494.199.60.1954.248.89.183185.12.46.8187.236.208.23236.48.69.18283.236.193.82177.10.24.34118.186.86.38114.80.136.17177.235.192.17858.240.98.17985.15.227.7878.46.64.21119.254.84.8778.46.64.2191.224.160.10478.46.64.2178.46.64.2191.224.160.104124.227.191.7554.234.65.11154.246.89.20
Some quick look ups show us IPs coming from all over – Netherlands, Brazil, China, Russia, Singapore..
What To Do?
The most obvious thing is to update immediately, both authors have made changes to their core to address these issues. That in it of itself will help you. Other options include the following:
- Leveraging a Web Application Firewall (WAF)
- Adding Captcha’s to comments to deter spam bots
- Ensure all comments are going through some kind of moderation
- Don’t land the comments on your server, leverage 3rd party plugins – e.g., Disqus
In the guidane above do realize that the captcha won’t necessarily protect you if you accept it, but it should slow bot attacks.
Leave a reply
