New SenseLog rules against WordPress and Joomla vulnerabilities
Eniko Toth

New SenseLog rules against WordPress and Joomla vulnerabilities

A few days ago, we released a new agent version (1.23.3), which contains very important developments:

  • We added two new SenseLog rules. The first one detects arbitrary file uploader bots, and the second one is for Joomla Spam regers.
  • SenseLog is prepared for future remote config update.
  • Instant blacklist action added to WAF Manager. It can be enabled for rules in the config.ini.
  • Virtual WAF honeypotify command added to CLI. It could be useful for blocking web shell access.

We'd like to talk a bit more about the first point; the new SenseLog rules.


SenseLog rule against arbitrary file uploader botnet

Recently, we noticed a strange request in one of our servers:

cat access_*.log | grep POST | grep " 404 " | grep upload.php | wc -l 105

Here are some logs from this botnet:

 180.235.132.60 - - [30/Aug/2018:02:02:29 +0200] "POST /wp-content/uploads/uigen_YEAR/file.php HTTP/1.1" 404 9873 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:02:47 +0200] "POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1" 404 9881 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:02:56 +0200] "POST /wp-content/plugins/asset-manager/upload.php HTTP/1.1" 404 9869 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:03:13 +0200] "POST /wp-content/plugins/barclaycart/uploadify/uploadify.php HTTP/1.1" 404 9875 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:03:23 +0200] "POST /wp-content/plugins/wpstorecart/php/upload.php HTTP/1.1" 404 9871 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:03:32 +0200] "POST /wp-content/themes/betheme/muffin-options/fields/upload/field_upload.php HTTP/1.1" 404 9887 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:03:42 +0200] "POST /wp-content/plugins/cherry-plugin/admin/import-export/upload.php HTTP/1.1" 404 9881 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:03:51 +0200] "POST /wp-content/plugins/omni-secure-files/plupload/examples/upload.php HTTP/1.1" 404 9882 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:04:00 +0200] "POST /wp-content/themes/konzept/includes/uploadify/upload.php HTTP/1.1" 404 9879 "-" "-"
 180.235.132.60 - - [30/Aug/2018:02:04:10 +0200] "POST /wp-content/plugins/contus-video-galleryversion-10/upload1.php HTTP/1.1" 404 9883 "-" "-"

This botnet tries to upload files through different URIs. The botnet is testing different vulnerabilities and after that, it can upload a backdoor or a web shell.

These are just some examples of what kind of vulnerabilities are used by the botnet:

In order to protect your servers against such attacks, we added the following malicious 404 URIs to the SenseLog module:

    'uigen_YEAR\/file.php',
    'uploadify\/uploadify.php',
    'uploadify\/upload_settings_image.php',
    'upload.php',
    'upload-header.php',
    'upload-handler.php',
    'file_upload.php',
    'elements\/udd.php',
    'uploader.php',
    'csv_uploader.php',
    'image-upload.php',
    'upload_handler.php',
    'upload\/field_upload.php',
    'simple-ads-manager\/sam-ajax-admin.php',
    'server\/images.php',
    'FileUploader\/php.php',
    'font-uploader\/font-upload.php',
    'upload\/php.php',
    'PHP\/eval-stdin.php ',
    'ofc_upload_image.php?name=.*?.php'

These are all WordPress vulnerabilities except the last one, which belongs to Joomla.

From the 1.23.3 agent version, this new SenseLog rule is available, so you don't have to worry about getting infected by this botnet.

SPOILER: Soon our WAF 2.0 module well detect every arbitrary file upload in WordPress.


SenseLog rule against spam user registrations

The registration page of a Joomla site is accessible directly, even if the owner hides this page from the publicity. There's an option to totally block that from others, but most of the Joomla users don't enable this feature.

That's why a botnet can easily create a new user which will send spam comments. Here's an example how a bot tried to create a scam user:

212.129.49.246 - - [16/Apr/2017:01:36:49 +0200] "POST /index.php/component/users/?task=registration.register HTTP/1.0" 303 - "http://#######.com/index.php/component/users/?view=registration" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.82 Safari/537.36 OPR/35.0.2066.37"

Don't worry, with the BitNinja Pro (>=1.23.3), your Joomla sites are safe as we added a new rule to our SenseLog module which detects such attacks.


Protect your servers with BitNinja

Don't let your servers being hacked! Take control of your servers and kick the hackers butt with the help of BitNinja. As you can see, we are continuously releasing new developments in order to harden the protection shield. If you are not part of our Ninja Community yet, join us now! Enjoy the hands-off security. Sign up for the 7-day free trial.

Share your ideas with us about this article

Previous posts

Classification of malware
The current world war isn’t happening in the physical world. However, cyber attacks have stepped into the foreground, and blackhat hackers can gain millions with their targeted attacks. Their main weapon in this war: malware. In this article, we’ll diversify the different types of malware so that you can better understand their behaviour. There are many ways in which malware can be categorized, but now we’d like to introduce Christopher C. Elisan's classifications from his book, Malware, Rootkits & Botnets. 1.Infectors Infectors have a very important limitation: they can only sprea...
IT security misbeliefs – third IT security meetup by BitNinja
We like attending meetups because we believe that great ideas are created when we share our experience and knowledge. That’s why we decided to organize regularly an IT security meetup in our town, Debrecen. On 24th August, we held our third meetup and we are so happy that the number of the attendees is increasing. Not only did the cold beer and the delicious pizza attract participants, but so did the interesting topics we were discussing. The most recent topic was: IT security misbeliefs. 1.“If I’m using a strong password, everything is OK.” Most people believe that if they have a...