Create a gist now

Instantly share code, notes, and snippets.

2pktfkt.de breach post-mortem
MARKDOWN?= markdown
all: report.html
%.html: %.md
echo "<!doctype html>" > $@
echo "<html><body>" >> $@
$(MARKDOWN) $< >> $@
echo "</body></html>" >> $@
clean:
rm -f report.html

Abuse report response

Re: Abuse Hinweis zu v236081616 - vServer BRONZE

Suspect URL:

http://rampke.de/wp-content/uploads/cgi3/netbnxlog/index.html

IP address: 188.40.187.158

Situation/logfile analysis:

at 12/Jun/2011:09:08:06 +0200 several POST requests were made to a "lib1.php" in the wp-contents/uploads directory of the Wordpress installation at http://rampke.de/. Excerpt from the apache access.log:

117.18.231.32 - - [12/Jun/2011:09:08:06 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 18635 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:16 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 10247 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:24 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 10774 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:32 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 10362 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:41 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 8825 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:48 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 8827 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:53 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 8225 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:59 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 8342 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:09:08 +0200] "GET /wp-content/uploads/js_cache/nothing/radio.html HTTP/1.1" 200 1659  "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; eng; rv:1.8.0.5) Gecko/20060706 Firefox/2.0.0.5"
117.18.231.32 - - [12/Jun/2011:09:09:13 +0200] "GET /wp-content/uploads/js_cache/nothing/wooden.php?part=sec HTTP/1.1"  200 209 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; eng; rv:1.8.0.5) Gecko/20060706 Firefox/2.0.0.5"

Wordpress is at the current version 3.1.3 and has been updated to this version as soon as it came out.

There is one earlier reference to this file in the logs:

89.191.137.11 - - [19/May/2011:06:15:58 +0200] "GET /wp-content/uploads/lib1.php HTTP/1.0" 200 14681 "-" "Mozilla/4.0 (compatible; ICS)"

Apparently this file has been placed there before the latest Wordpress update; presumably through one of the vulnerabilities fixed in WP 3.1.3

Several illicit files were present in the Wordpress directory, namely

wp-content/uploads/cgi1
wp-content/uploads/cgi1/netbnxlog
wp-content/uploads/cgi1/netbnxlog/d.php
wp-content/uploads/cgi1/netbnxlog/mata.png
wp-content/uploads/cgi1/netbnxlog/favicon.ico
wp-content/uploads/cgi1/netbnxlog/d.png
wp-content/uploads/cgi1/netbnxlog/cont.png
wp-content/uploads/cgi1/netbnxlog/confirm.php
wp-content/uploads/cgi1/netbnxlog/cyb.js
wp-content/uploads/cgi1/netbnxlog/last.png
wp-content/uploads/cgi1/netbnxlog/pss.png
wp-content/uploads/cgi1/netbnxlog/pss.php
wp-content/uploads/cgi1/netbnxlog/go.png
wp-content/uploads/cgi1/netbnxlog/index.html
wp-content/uploads/cgi1.tar.gz
wp-content/uploads/cgi2
wp-content/uploads/cgi2/netbnxlog
wp-content/uploads/cgi2/netbnxlog/d.php
wp-content/uploads/cgi2/netbnxlog/mata.png
wp-content/uploads/cgi2/netbnxlog/favicon.ico
wp-content/uploads/cgi2/netbnxlog/d.png
wp-content/uploads/cgi2/netbnxlog/cont.png
wp-content/uploads/cgi2/netbnxlog/confirm.php
wp-content/uploads/cgi2/netbnxlog/cyb.js
wp-content/uploads/cgi2/netbnxlog/last.png
wp-content/uploads/cgi2/netbnxlog/pss.png
wp-content/uploads/cgi2/netbnxlog/pss.php
wp-content/uploads/cgi2/netbnxlog/go.png
wp-content/uploads/cgi2/netbnxlog/index.html
wp-content/uploads/cgi3
wp-content/uploads/cgi3/netbnxlog
wp-content/uploads/cgi3/netbnxlog/d.php
wp-content/uploads/cgi3/netbnxlog/mata.png
wp-content/uploads/cgi3/netbnxlog/favicon.ico
wp-content/uploads/cgi3/netbnxlog/d.png
wp-content/uploads/cgi3/netbnxlog/cont.png
wp-content/uploads/cgi3/netbnxlog/confirm.php
wp-content/uploads/cgi3/netbnxlog/cyb.js
wp-content/uploads/cgi3/netbnxlog/last.png
wp-content/uploads/cgi3/netbnxlog/pss.png
wp-content/uploads/cgi3/netbnxlog/pss.php
wp-content/uploads/cgi3/netbnxlog/go.png
wp-content/uploads/cgi3/netbnxlog/index.html
wp-content/uploads/cgi4
wp-content/uploads/cgi4/netbnxlog
wp-content/uploads/cgi4/netbnxlog/d.php
wp-content/uploads/cgi4/netbnxlog/mata.png
wp-content/uploads/cgi4/netbnxlog/favicon.ico
wp-content/uploads/cgi4/netbnxlog/d.png
wp-content/uploads/cgi4/netbnxlog/cont.png
wp-content/uploads/cgi4/netbnxlog/confirm.php
wp-content/uploads/cgi4/netbnxlog/cyb.js
wp-content/uploads/cgi4/netbnxlog/last.png
wp-content/uploads/cgi4/netbnxlog/pss.png
wp-content/uploads/cgi4/netbnxlog/pss.php
wp-content/uploads/cgi4/netbnxlog/go.png
wp-content/uploads/cgi4/netbnxlog/index.html
wp-content/uploads/create.php
wp-content/uploads/js_cache
wp-content/uploads/js_cache/tinymce_f88cc86145c286b69cc9e8599d87b77d.gz
wp-content/uploads/js_cache/nothing
wp-content/uploads/js_cache/nothing/wooden.php
wp-content/uploads/js_cache/nothing/radio.html
wp-content/uploads/lib1.php
wp-content/uploads/sitemap.php
wp-content/uploads/stats.php
google35c744a5a5.php

The integrity of all other files has been checked via md5 checksums against a local copy of the distribution files.

No unexpected files were found in any other apache-writable directories.

No unexpected setuid files were found on the system. No checksum mismatches versus the installed debian packages were found using debsum.

Clean-Up:

The files named above have been removed.

All SSH keys have been retired as an act of caution, although there are no signs of any access beyond the www-data user.

Mitigation of future attacks:

ExecCGI has been disabled for the wp-content/uploads directory.

The vulnerable software had already been updated between the breach and the actual abuse.

Unterlassungserklärung und Zusicherung

Hiermit erkläre ich, dass

  • ich alle schadhaften Daten auf dem vServer BRONZE v236081616 entfernt habe
  • ich alle erforderlichen Maßnahmen ergriffen habe, um sicherzustellen, dass ein solcher Vorfall nicht erneut auftritt.

Matthias Rampke

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment