I noticed a new Revslider WordPress PHP attack / exploit yesterday against this server that was blocked by the protections on it.
To put this in perspective most server admins or end users wouldn’t notice this, unless they had the vulnerable plugin actually installed on the server. Some web firewalls might have blocked it, but I bet a large number of servers & user accounts /websites would be infected /compromised.
I use a set of software protections on this server from http://configserver.com/ in particular I use CXS which when set up correctly in conjunction with Mod Security and CFS firewall really helps to protect the server against all these script exploits and WordPress hacks. It does take quite a bit of configuration to fully protect against new exploits, without too many false positives. I have this server set to higher level of protection against scripts by using Bayes /Heuristic checking set on the most paranoid level so anything remotely suspicious is detected. This level does give false positives, but luckily not too many for me, and I am able to quickly sort out false alarms & release them from quarantine and restore them if needed.
Basically anything suspicious or already known, that is uploaded or attempted to be uploaded ( whether the vulnerable program /software /plugin /CMS is on the server or not ) is quarantined. CXS checks uploads before Apache looks at it, decides where to send the request & would normally give a 404 not found if the program or plugin is not installed on the server. I get an immediate email and can investigate and take a suitable action.
When I saw this new Revslider attack, I immediately noticed it was different & new. The file name is myluph.php
Downloading the zip file from quarantine, I could see the extracted php file was encrypted /encoded /obfuscated in a different way to normal.
This is his report and I thank him for all his extremely hard work.
The PHP is wrapped in about 12 layers of base64_decode and gzinflate pairs. Inside is a separate comment:
// D@rk sh@d0w PHP Encoder
// Contact: fb.me/D4rk5h4d0w
myluph.php contains more base64 files which are decoded and dropped as:
wp-newblog.php also contains base64 files which duplicate wp-dbaseb.php and wp-conf.php above.
recky.php looks like it could be for a DDoS against tariksezer.com and filarmonicapordenone.it if repeatedly called.
Attached is the final decode of myluph and the decoded droppings as .txt files.
All the decoded files are in THIS zip P/W infected. The original File is in THIS zip P/W infected For other analysts to investigate further and possibly develop a decoder for this sort of encoded php attackware.
I have had a quick look at the files and I think that the recky.php wants to download or include robots.txt from 2 sites listed inside recky.php. http://www.filarmonicapordenone.it/plugins/acymailing/contentplugin/robots.txt and http://tariksezer.com/site/wp-admin/js/robots.txt
They try all available download /include methods that are normally on a server and then it looks like they use those files, which of course are NOT robots.txt files but perl command files to perform defacing, DDOs and other attacks against servers and websites of the attackers choice.
All files have been submitted to Antivirus companies, but in general PHP files do not get a very high detection rate with the majority of Antivirus companies, who tend to concentrate on Windows based malware.
VirusTotal Detections for the files:
- original encrypted myulph.php