A few days ago, we released a new agent version (1.23.3), which contains very important developments:
- We added two new SenseLog rules. The first one detects arbitrary file uploader bots, and the second one is for Joomla Spam regers.
- SenseLog is prepared for future remote config update.
- Instant blacklist action added to WAF Manager. It can be enabled for rules in the config.ini.
- Virtual WAF honeypotify command added to CLI. It could be useful for blocking web shell access.
We'd like to talk a bit more about the first point; the new SenseLog rules.
SenseLog rule against arbitrary file uploader botnet
Recently, we noticed a strange request in one of our servers:
cat access_*.log | grep POST | grep " 404 " | grep upload.php | wc -l 105
Here are some logs from this botnet:
126.96.36.199 - - [30/Aug/2018:02:02:29 +0200] "POST /wp-content/uploads/uigen_YEAR/file.php HTTP/1.1" 404 9873 "-" "-" 188.8.131.52 - - [30/Aug/2018:02:02:47 +0200] "POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1" 404 9881 "-" "-" 184.108.40.206 - - [30/Aug/2018:02:02:56 +0200] "POST /wp-content/plugins/asset-manager/upload.php HTTP/1.1" 404 9869 "-" "-" 220.127.116.11 - - [30/Aug/2018:02:03:13 +0200] "POST /wp-content/plugins/barclaycart/uploadify/uploadify.php HTTP/1.1" 404 9875 "-" "-" 18.104.22.168 - - [30/Aug/2018:02:03:23 +0200] "POST /wp-content/plugins/wpstorecart/php/upload.php HTTP/1.1" 404 9871 "-" "-" 22.214.171.124 - - [30/Aug/2018:02:03:32 +0200] "POST /wp-content/themes/betheme/muffin-options/fields/upload/field_upload.php HTTP/1.1" 404 9887 "-" "-" 126.96.36.199 - - [30/Aug/2018:02:03:42 +0200] "POST /wp-content/plugins/cherry-plugin/admin/import-export/upload.php HTTP/1.1" 404 9881 "-" "-" 188.8.131.52 - - [30/Aug/2018:02:03:51 +0200] "POST /wp-content/plugins/omni-secure-files/plupload/examples/upload.php HTTP/1.1" 404 9882 "-" "-" 184.108.40.206 - - [30/Aug/2018:02:04:00 +0200] "POST /wp-content/themes/konzept/includes/uploadify/upload.php HTTP/1.1" 404 9879 "-" "-" 220.127.116.11 - - [30/Aug/2018:02:04:10 +0200] "POST /wp-content/plugins/contus-video-galleryversion-10/upload1.php HTTP/1.1" 404 9883 "-" "-"
This botnet tries to upload files through different URIs. The botnet is testing different vulnerabilities and after that, it can upload a backdoor or a web shell.
These are just some examples of what kind of vulnerabilities are used by the botnet:
- WordPress Plugin ACF Frontend Display 2.0.5 - Arbitrary File Upload
- WordPress Plugin Simple Ads Manager 2.5.94 - Arbitrary File Upload (CVE-2015-2825)
- WordPress Plugin Asset-Manager - Arbitrary '.PHP' File Upload (Metasploit)
- appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload (CVE-2012-1153)
- WordPress Plugin wpStoreCart 2.5.27-2.5.29 - Arbitrary File Upload (CVE-2012-3576)
- WordPress Plugin dzs-zoomsounds 2.0 - Arbitrary File Upload
- Arbitrary File Upload Vulnerability in PitchPrint
- WordPress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload
In order to protect your servers against such attacks, we added the following malicious 404 URIs to the SenseLog module:
'uigen_YEAR\/file.php', 'uploadify\/uploadify.php', 'uploadify\/upload_settings_image.php', 'upload.php', 'upload-header.php', 'upload-handler.php', 'file_upload.php', 'elements\/udd.php', 'uploader.php', 'csv_uploader.php', 'image-upload.php', 'upload_handler.php', 'upload\/field_upload.php', 'simple-ads-manager\/sam-ajax-admin.php', 'server\/images.php', 'FileUploader\/php.php', 'font-uploader\/font-upload.php', 'upload\/php.php', 'PHP\/eval-stdin.php ', 'ofc_upload_image.php?name=.*?.php'
These are all WordPress vulnerabilities except the last one, which belongs to Joomla.
From the 1.23.3 agent version, this new SenseLog rule is available, so you don't have to worry about getting infected by this botnet.
SPOILER: Soon our WAF 2.0 module well detect every arbitrary file upload in WordPress.
SenseLog rule against spam user registrations
The registration page of a Joomla site is accessible directly, even if the owner hides this page from the publicity. There's an option to totally block that from others, but most of the Joomla users don't enable this feature.
That's why a botnet can easily create a new user which will send spam comments. Here's an example how a bot tried to create a scam user:
18.104.22.168 - - [16/Apr/2017:01:36:49 +0200] "POST /index.php/component/users/?task=registration.register HTTP/1.0" 303 - "http://#######.com/index.php/component/users/?view=registration" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.82 Safari/537.36 OPR/35.0.2066.37"
Don't worry, with the BitNinja Pro (>=1.23.3), your Joomla sites are safe as we added a new rule to our SenseLog module which detects such attacks.
Protect your servers with BitNinja
Don't let your servers being hacked! Take control of your servers and kick the hackers butt with the help of BitNinja. As you can see, we are continuously releasing new developments in order to harden the protection shield. If you are not part of our Ninja Community yet, join us now! Enjoy the hands-off security. Sign up for the 7-day free trial.