Re: Abuse Hinweis zu v236081616 - vServer BRONZE
Suspect URL:
http://rampke.de/wp-content/uploads/cgi3/netbnxlog/index.html
IP address: 188.40.187.158
at 12/Jun/2011:09:08:06 +0200 several POST requests were made to a "lib1.php" in the wp-contents/uploads directory of the Wordpress installation at http://rampke.de/. Excerpt from the apache access.log:
117.18.231.32 - - [12/Jun/2011:09:08:06 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 18635 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:16 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 10247 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:24 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 10774 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:32 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 10362 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:41 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 8825 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:48 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 8827 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:53 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 8225 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:08:59 +0200] "POST /wp-content/uploads/lib1.php HTTP/1.1" 200 8342 "-" "-"
117.18.231.32 - - [12/Jun/2011:09:09:08 +0200] "GET /wp-content/uploads/js_cache/nothing/radio.html HTTP/1.1" 200 1659 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; eng; rv:1.8.0.5) Gecko/20060706 Firefox/2.0.0.5"
117.18.231.32 - - [12/Jun/2011:09:09:13 +0200] "GET /wp-content/uploads/js_cache/nothing/wooden.php?part=sec HTTP/1.1" 200 209 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; eng; rv:1.8.0.5) Gecko/20060706 Firefox/2.0.0.5"
Wordpress is at the current version 3.1.3 and has been updated to this version as soon as it came out.
There is one earlier reference to this file in the logs:
89.191.137.11 - - [19/May/2011:06:15:58 +0200] "GET /wp-content/uploads/lib1.php HTTP/1.0" 200 14681 "-" "Mozilla/4.0 (compatible; ICS)"
Apparently this file has been placed there before the latest Wordpress update; presumably through one of the vulnerabilities fixed in WP 3.1.3
Several illicit files were present in the Wordpress directory, namely
wp-content/uploads/cgi1
wp-content/uploads/cgi1/netbnxlog
wp-content/uploads/cgi1/netbnxlog/d.php
wp-content/uploads/cgi1/netbnxlog/mata.png
wp-content/uploads/cgi1/netbnxlog/favicon.ico
wp-content/uploads/cgi1/netbnxlog/d.png
wp-content/uploads/cgi1/netbnxlog/cont.png
wp-content/uploads/cgi1/netbnxlog/confirm.php
wp-content/uploads/cgi1/netbnxlog/cyb.js
wp-content/uploads/cgi1/netbnxlog/last.png
wp-content/uploads/cgi1/netbnxlog/pss.png
wp-content/uploads/cgi1/netbnxlog/pss.php
wp-content/uploads/cgi1/netbnxlog/go.png
wp-content/uploads/cgi1/netbnxlog/index.html
wp-content/uploads/cgi1.tar.gz
wp-content/uploads/cgi2
wp-content/uploads/cgi2/netbnxlog
wp-content/uploads/cgi2/netbnxlog/d.php
wp-content/uploads/cgi2/netbnxlog/mata.png
wp-content/uploads/cgi2/netbnxlog/favicon.ico
wp-content/uploads/cgi2/netbnxlog/d.png
wp-content/uploads/cgi2/netbnxlog/cont.png
wp-content/uploads/cgi2/netbnxlog/confirm.php
wp-content/uploads/cgi2/netbnxlog/cyb.js
wp-content/uploads/cgi2/netbnxlog/last.png
wp-content/uploads/cgi2/netbnxlog/pss.png
wp-content/uploads/cgi2/netbnxlog/pss.php
wp-content/uploads/cgi2/netbnxlog/go.png
wp-content/uploads/cgi2/netbnxlog/index.html
wp-content/uploads/cgi3
wp-content/uploads/cgi3/netbnxlog
wp-content/uploads/cgi3/netbnxlog/d.php
wp-content/uploads/cgi3/netbnxlog/mata.png
wp-content/uploads/cgi3/netbnxlog/favicon.ico
wp-content/uploads/cgi3/netbnxlog/d.png
wp-content/uploads/cgi3/netbnxlog/cont.png
wp-content/uploads/cgi3/netbnxlog/confirm.php
wp-content/uploads/cgi3/netbnxlog/cyb.js
wp-content/uploads/cgi3/netbnxlog/last.png
wp-content/uploads/cgi3/netbnxlog/pss.png
wp-content/uploads/cgi3/netbnxlog/pss.php
wp-content/uploads/cgi3/netbnxlog/go.png
wp-content/uploads/cgi3/netbnxlog/index.html
wp-content/uploads/cgi4
wp-content/uploads/cgi4/netbnxlog
wp-content/uploads/cgi4/netbnxlog/d.php
wp-content/uploads/cgi4/netbnxlog/mata.png
wp-content/uploads/cgi4/netbnxlog/favicon.ico
wp-content/uploads/cgi4/netbnxlog/d.png
wp-content/uploads/cgi4/netbnxlog/cont.png
wp-content/uploads/cgi4/netbnxlog/confirm.php
wp-content/uploads/cgi4/netbnxlog/cyb.js
wp-content/uploads/cgi4/netbnxlog/last.png
wp-content/uploads/cgi4/netbnxlog/pss.png
wp-content/uploads/cgi4/netbnxlog/pss.php
wp-content/uploads/cgi4/netbnxlog/go.png
wp-content/uploads/cgi4/netbnxlog/index.html
wp-content/uploads/create.php
wp-content/uploads/js_cache
wp-content/uploads/js_cache/tinymce_f88cc86145c286b69cc9e8599d87b77d.gz
wp-content/uploads/js_cache/nothing
wp-content/uploads/js_cache/nothing/wooden.php
wp-content/uploads/js_cache/nothing/radio.html
wp-content/uploads/lib1.php
wp-content/uploads/sitemap.php
wp-content/uploads/stats.php
google35c744a5a5.php
The integrity of all other files has been checked via md5 checksums against a local copy of the distribution files.
No unexpected files were found in any other apache-writable directories.
No unexpected setuid files were found on the system. No checksum mismatches versus the installed debian packages were found using debsum.
The files named above have been removed.
All SSH keys have been retired as an act of caution, although there are no signs of any access beyond the www-data user.
ExecCGI has been disabled for the wp-content/uploads directory.
The vulnerable software had already been updated between the breach and the actual abuse.
Hiermit erkläre ich, dass
- ich alle schadhaften Daten auf dem vServer BRONZE v236081616 entfernt habe
- ich alle erforderlichen Maßnahmen ergriffen habe, um sicherzustellen, dass ein solcher Vorfall nicht erneut auftritt.
Matthias Rampke