Nofawkx hack: WSO PHP shell uploaded through (very) old tiny_mce

Written by - 0 comments

Published on February 10th 2014 - Listed in Hacks Internet BSD

Funny. Right after I posted the previous article (Uploaded and executed perl script through old Joomla vulnerability), I was informed about a hacked customer website on a FreeBSD web server and was asked for help to find out how this happened.

The customer's website didn't really look like a real website anymore. The hackers enjoyed to design their own little welcome page (and even embedded some background sound through a Youtube embed code):

hacked by nofawkx

A quick look into the htdocs folder revealed a recent hack:

ls -ltr
total 21
-rw-rw-r--   1 useraccount  useraccount  3033 Nov 27 11:34 index.php
drwxrwxr-x   4 useraccount  useraccount     8 Feb  8 01:08 userfiles
-rw-r--r--   1 useraccount  useraccount  8079 Feb  8 01:09 al.htm

So February 8th in the early mornings... By going through the access logs from that day, I quickly found the source IP ( which was responsible for the hack.

The following POST on a tiny_mce script allowed the hacker to do an upload: - - [08/Feb/2014:01:08:45 +0100] "POST /bcms/jscripts/tiny_mce/plugins/smexplorer/index.php?get=5caebac50093f182648b0b9a4c8a6a2fa259e541c69b9836c1a85e94ca35dba8b9e745d659c84c67d7e452caf31354f96d11333adcb95286d9e8c1c0a087c28de751ff236bb2981b44f3229454497d69f4fb9f6c5a5fbfed668ce3504ae41f366f338d1707712e7f0a38119a0e2e6fba416edb2f9c88ceea12e2bfa6bbe4714a18e7515a7beda94315baf3fb6b9c4663205ece4866728202bf9163ddb65db106673767377a0119a93289592dd90002d155025537e56ab386f259a2b69d262669054050875e1c768f3d7e945ed6617d86313007505d0081464f0563d2618258812e895537f8d2a5804b42c97b398bb0c1a45b33358d614fbdde4bf7816a8da3ada811e4afc09b0a770effdbe1520b09e23cac2b6ac630edbd495d34fc8a086c94e77792af8c0af2ecc981fe8483923ea6bf2484960e2cd2e87f&action=upload HTTP/1.1" 200 30572 "" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0"

Through that POST, a new file (wso.2.5.1.php) was uploaded. As I've seen a lot of hacks in the past years, I already knew that this will be a WSO PHP Shell.
Optical verification:

wso web shell 

Right after the upload of the web shell, it was executed several times: - - [08/Feb/2014:01:08:49 +0100] "GET /userfiles/wso2.5.1.php HTTP/1.1" 200 13929 "" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0" - - [08/Feb/2014:01:08:51 +0100] "POST /userfiles/wso2.5.1.php HTTP/1.1" 200 14966 "" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0" - - [08/Feb/2014:01:08:56 +0100] "POST /userfiles/wso2.5.1.php HTTP/1.1" 200 14966 "" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0" - - [08/Feb/2014:01:09:07 +0100] "POST /userfiles/wso2.5.1.php HTTP/1.1" 200 15593 "" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0"

The website's index.php was overwritten a few days later as stat revealed:

stat index.php
4230937973 41 -rw-rw-r-- 1 useraccount useraccount 4294967295 3033 "Feb 10 10:47:42 2014" "Nov 27 11:34:33 2013" "Feb  9 21:10:45 2014" "Feb  9 21:10:45 2014" 7168 5 0 index.php

Without big surprise it was once again the wso script which caused this change: - - [09/Feb/2014:21:10:45 +0100] "POST /userfiles/wso2.5.1.php HTTP/1.1" 200 12342 "" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0"

One of the uploaded files from the hacker was called "al.htm" and contained a video with a message from the hacker.
The message was basically, that the website had "0 security". 
Let's verify if the hacker was right by checking the version of the abused tiny_mce script:

more bcms/jscripts/tiny_mce/tiny_mce.js
var tinymce={majorVersion:'3',minorVersion:'0.6.2',releaseDate:'2008-04-07'

A tiny_mce script from 2008. Why am I not surprised?

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.