WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector

On thirst August 2011, Mark Maunder had reveal, through a defacement experience, that “timthumb.php” script, included in hundreds of WordPress themes, was vulnerable to remote file inclusion (RFI) attack. TimThumb is small php script for cropping, zooming and resizing web images (jpg, png, gif).

The default configuration of “timthumb.php” script, in many WordPress themes, allow remote file inclusion from the following domains:

  • flickr.com
  • picasa.com
  • blogger.com
  • wordpress.com
  • img.youtube.com
  • upload.wikimedia.org
  • photobucket.com

Unfortunately the domain code verification was buggy, allowing remote file inclusion if the above domain strings appears anywhere in the hostname, for example : picasa.com.zataz.com.

To create such DNS entries you need to have control on a zone hosted by a DNS server, the attack vector is more complex than a simple RFI attack how don’t need this kind of resource.

Since few weeks, I observe through my Honeynet that attempts to exploit this vulnerability are increasing and that it is now fully integrated as dork into the ByroeNet like tools. The fact is that more and more exploitable DNS entries are created how allow the TimThumb vulnerability exploitation.

For example, one of the most active TimThumb vulnerability domain is actually “picasa.com.xpl.be“, how has the following details :

  • RFI IP : 98.158.186.250
  • RFI FQDN : 90.158.186.250.static.midphase.com
  • RFI Country : United States

Domain name servers authority for “picasa.com.xpl.be” and “xpl.be” domain names are :

; AUTHORITY SECTION:
xpl.be.			81644	IN	NS	ns2.afraid.org.
xpl.be.			81644	IN	NS	ns3.afraid.org.
xpl.be.			81644	IN	NS	ns1.afraid.org.
xpl.be.			81644	IN	NS	ns4.afraid.org.

;; ADDITIONAL SECTION:
ns1.afraid.org.		508	IN	A	67.19.72.206
ns2.afraid.org.		206	IN	A	174.37.196.55
ns3.afraid.org.		26	IN	A	72.20.15.61
ns4.afraid.org.		26	IN	A	174.128.246.102

afraid.org is a free DNS hosting, dynamic DNS hosting, static DNS hosting, subdomain and domain hosting services provider.

xpl.be domain name has been registered, the 5 April 2010, through Key-Systems GmbH a german domain name registrar and the registration informations are :

Registrant
Name : Dolores Aleman
Organisation : Dolores Aleman
Address : 1014 south 2nd st - 78550 Harlingen AL US
Email : [email protected]

Registrant technical contacts
Name : Mr XpL
Organisation : XpL inc
Address : 1014 south 2nd st - 78550 Harlingen AL US
Email : [email protected]

Both “picasa.com.xpl.be” and “xpl.be” are hosted on IP 98.158.186.250 from midPhase.com a hosting service provider, but this hosting service provider doesn’t provide any free hosting services. Also as you can see below the xpl.be web site designer know ASCII art.

Other example is “picasa.compress.cu.cc“, registered on “cu.cc” the 13 September 2011 by “[email protected]“. the domain name and website are hosted on 50Webs.com a free DNS and hosting provider.

picasa.computergoogle.co.cc“, registered on “co.cc” registrar the 22 September 2011 by “[email protected]“. The domain name and website are hosted on 50Webs.com a free DNS and hosting provider.

wordpress.com.daliacarella.com“, registered on “www.000domains.com” the 17 July 2011 by [email protected] The domain name and the website are hosted on HostDime.com.

blogger.com.donshieldphotography.com“, registered on Visual Solutions Group Inc the 19 January 2011 by “Don Shield Photography“. The domain name and the website are hosted on Visual Solutions Group Inc. “www.donshieldphotography.com” seem to be a legitimate Web site, but Visual Solutions Group Inc infrastructure seem also compromised.

blogger.com.aptum.nu“, registered on nunames.nu the 24 October 2006 by [email protected] The domain name and the website are hosted on ODERLAND. “aptum.nu” seem to be a legitimate Web site.

blogger.com.jewelhost.co.uk” registered on 123-reg.co.uk the 04 May 2010 by “Callum Baillie”. The domain name and the website are hosted on JewelHost.co.uk a hosting provider how seem to be compromised.

blogger.com.tara-baker.com” registered on Tucows Domains the 07 January 2010 by “UK2.net”. The domain name and the website are hosted on VC-Hosting.com a hosting provider how seem to be compromised.

picasa.com.marcialia.com.br” has his domain name and website hosted on SERVER4YOU a hosting provider how propose free hosting trial during 6 months.marcialia.com.br seem to be a legitimate web site, the account seem to be compromised.

Other domains how are also participating to the TimThumb Botnet : “picasa.com.crimecyber.tk“, “blogger.com.1h.hu“, “picasa.com.nixonmu.com“, “blogger.com.lionsurveys.com“, “blogger.com.autoelectricahernandez.com“.

You have also “picasa.com.throngbook.com“, “blogger.com.cursos.secundariatecnica33.org”  how are actually down.

All these compromised sites seem to be related to the Indonesian Byroe.net network.

Here under you can find some live stats on the TimThumb vulnerability exploitation attempts detected by our Honeynet.



SUC027 : Muieblackcat setup.php Web Scanner/Robot

  • Use Case Reference : SUC027
  • Use Case Title : Muieblackcat setup.php Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : N.D.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Regarding the logs, this scanner is looking for “setup.php” files.

Source(s) :

Emerging Threats SIG 2013115 triggers are :

  • The HTTP header should contain “GET /muieblackcat HTTP/1.1“. A complete set of logs is available here.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2013115 1 Week events activity
SIG 2013115 1 Week events activity
SIG 2013115 1 month events activity
SIG 2013115 1 month events activity
1 Month TOP 10 source IPs for SIG 2013115
1 Month TOP 10 source IPs for SIG 2013115
TOP 20 source countries for SIG 2013115
TOP 20 source countries for SIG 2013115

SUC026 : DataCha0s Web Scanner/Robot

  • Use Case Reference : SUC026
  • Use Case Title : DataCha0s Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Source IP(s) : Random
  • Source Countries : Most of US and Brasil
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • DataCha0s bot.

Source(s) :

Emerging Threats SIG 2003616 triggers are :

  • The HTTP header should contain “DataCha0s” User Agent string. Example : User-Agent: DataCha0s/2.0
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2003616 1 Week events activity
SIG 2003616 1 Week events activity
SIG 2003616 1 month events activity
SIG 2003616 1 month events activity
1 Month TOP 10 source IPs for SIG 2003616
1 Month TOP 10 source IPs for SIG 2003616
TOP 20 source countries for SIG 2003616
TOP 20 source countries for SIG 2003616

SUC025 : ZmEu exploit scanner

  • Use Case Reference : SUC025
  • Use Case Title : ZmEu exploit scanner
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : ZmEu bot
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • phpMyAdmin scanner

Source(s) :

Emerging Threats SIG 2010715 triggers are :

  • The HTTP header should contain “Made by ZmEu” User-Agent string. Example : “User-Agent: Made by ZmEu @ WhiteHat Team – www.whitehat.ro
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2010715 1 Week events activity
SIG 2010715 1 Week events activity
SIG 2010715 1 month events activity
SIG 2010715 1 month events activity
1 Month TOP 10 source IPs for SIG 2010715
1 Month TOP 10 source IPs for SIG 2010715