In March 2009, our Honey Net reported us a malicious Remote File Inclusion code hosted on a Google Sites, how was invoked in few events. The Google Sites was called “nurhayati satu“, an Indonesian surname and first name. The invoked malicious script was “http://sites.google.com/site/nurhayatisatu/1.txt???“.
[TABLE=10]
Between March 2009 and May 2010, no more sign of life of this Google Sites. But since May the number of events have increase and we could distinguish the apparition of the “Cloud” phenomena. “nurhayati satu” Google Sites has now around 16 IP addresses associated as hosting server and all these IP addresses are owned by Google Inc. The involved CIDR’s are 209.85.128.0/17 and 74.125.0.0/16.
It is interesting to visualize the interactions of the attackers source IPs (in blue) with the Google Sites Cloud destination IPs (in green).
Google Sites Cloud RFI
You can see that the attackers source IPs are not dedicated to one hosting server IP, but are also invoking the “Cloud” IPs.
Every one of you know the Google results labelled ‘This site may harm your computer‘.
It will be funny if Google Sites themselves will be labelled, but more seriously should we declare Google Sites to Dshield, Abuse.ch or Emerging Threats ? Should we block Google, cause Google is delivering some malwares between his Cloud infrastructure, and no one care 🙂
Since one week, we have detect some increasing RCE (Remote Code Execution) and SQL injection attempts on xmlrpc.php. These attempts are detected by ET rule 2002158, with last modification on the rule the 2009-03-13.
You can find here under the payload how is called by the attempts.
test.method’,”));echo ‘XxXDIOCANEXxX’;exit;/*
Despite the source IPs are completely random, the User Agent is still Mozilla/5.0 and the payload is all the time the same. These attempts seems to be generated by a tool using some Google dorking capabilities. Also the source IPs are also involved in other exploits attempts, members of RFI or LFI botnets.
24 hours SIG 2002158 events activities1 week SIG 2002158 events activities1 Month SIG 2002158 events activitiesOne year SIG 2002158 events activities1 Month TOP 10 source IPs for SIG 2002158
Every one of you know Remote File Inclusion vulnerability, how permit to include a remote file usually through a PHP script on the Web application. This remote file contain some code how will be executed in the context of the server and permit for example to gather informations, execute code and compromise the Web server.
Same as Metalica, bad guys are seeking and then destroying. But before destroying, bad guys seeking potential targets with search engines (Google, Yahoo, Live, Ask, etc.) and if some results are matching, they then try to see if the Web application URL is vulnerable or not. Same as a submarine active sonar, the remotely included code will ping the potential vulnerable URL, and if this URL is vulnerable the Web application will do an code echo reply. PS : Special dedicated to :
echo("FeeL"."CoMz");
Now the bad guys knowing that the Web application URL is vulnerable, they will gather more informations about the Web application and server environment. Following the responses to the informations gathering, the bad guys will decide which kind of infections they could apply and how depth the infections would be. The critical informations that the bad guys will look are for example :
Is PHP safe mode set to “on” ?
What is the OS hosting the vulnerable application ?
Version of the kernel, if applicable ?
What is the user running the web application, most of time httpd or apache.
What are the permissions of the Web application directories, read only, writable ?
If PHP safe mode is set to “on”, the bad guys will only use the vulnerable Web application and server as repository for some scripts, most of time the “ping code” and the “informations gathering code“.
If PHP safe mode is set to “off”, then the bad guys will begin to remote upload, on the server, more scripts. Mainly RFI viral packs containing these capabilities :
IRC Command & Control bot module
Search engines targets seeker module
RFI code ping scan script
RFI code echo reply listener module
Informations gathering script
IRC channels & words spying module
DOS & DDOS module
Portscanner module
Fake speaking & answering IRC bots module
Google bypasser module
PHP shells script
What is really important to understand is that every parts of these RFI viral packs could be decentralized on other compromised servers, and controlled by different IRC Command & Control servers . And now, longer the first initial Web application and server is compromised, longer this infected host will participate to increase the size of the RFI botnet.
We will use a example, a very old friend of our HoneyNet, lunched in February 2009. We will call our old friend “RFI n°4” (Nooo, I’m not an number….) and provide you his ID card.
RFI ID : 4
RFI IP : 213.158.72.68
RFI FQDN : virtual.interfree.it
RFI Country : Italy
RFI Vhost : brej.interfree.it
RFI URL : http://brej.interfree.it/id.jpg??
Number of events generated by n°4 : 1935
Number of source IPs how are calling the RFI URL : 112
RFI first seen : 2009-02-15 20:54:58
RFI last seen : 2010-05-26 21:48:09
RFI life time : 465 day’s
Hu, 465 days old … my n°4 friend is very old and has a lot of friends how are visiting him (112 source IPs). The number of events is quiet relative, cause 465 day’s for only generating 1935 events, my n°4 friend you could do better, maybe your master is a lazy guy. All you friends are trying different attacks, with your help, against our HoneyNet.
RFI n°4 as red, and all his friends in green with the related SIG attempts
What is interesting n°4, is that some of your friends are also RFI infected, and all together you create a big family linked together (RFI botnet).
RFi n°4 centralized in red, and all his friend
Another possible visualization is to see month by month the activities turning around our n°4 RFI friend. RFI n°4 is indicated in green colors, source IPs how are not also RFI are indicated in orange colors and source IPs how are also RFI are indicated in red flame colors.
[nggallery id=4]
In a previous post, we have seen that Joomla wgPicasa component LFI exploit was more used than other LFI exploits. I was interested to see if the source IPs of this particular LFI attack was implicated into other attacks and integrated into bigger botnets.
First of all, since the 15 April 2010, we have 165 different unique source IPs how have attempt to use the Joomla wgPicasa component LFI exploit on our HoneyNet. These source IPs have generate 20 351 events. Here under an afterglow representation of all these IPs with they weight in term of events.
165 source IPs calling SIG 2011067
Are these source IPs involved in other activities ? Surely yes 🙂 After some crazy SQL queries on our HoneyNet database, we got these results.
45 others exploits where detected from the same source IPs who are exploiting the Joomla wgPicasa component LFI vulnerability.
Some of these 45 exploits are targeting others LFI exploits, for examples :
Joomla Component com_ccnewsletter controller
Ideal MooFAQ Joomla Component file_includer.php
rgboard _footer.php skin_path parameter
phpSkelSite TplSuffix parameter
MODx CMS snippet.reflect.php reflect_base
TBmnetCMS index.php content Parameter
etc.
Some of these 45 exploits are targeting RFI exploits, for examples :
Some of these 45 exploits are trying SQL injection, for examples :
MYSQL SELECT CONCAT SQL Injection
SQL Injection Attempt UNION SELECT
SQL Injection Attempt SELECT FROM
Here under an afterglow representation of the interactions between all source IPs and them attached exploits attempts.
All SIGs attached to the 165 SIG 2011067 source IPs
We can clearly see that most of these source IPs are controlled by Remote File Inclusion botnets, but some of them are standalone and only exploiting the particular Joomla wgPicasa component LFI.
