BBQ did not catch latest Indoxploit (11/25)

  • Resolved vivithemage

    (@vivithemage)


    7 years ago

    I had a bunch (30 or so) of wordpress sites on my servers hit with the latest indoxploit. In the previous attack, about 2-3 months ago, I tracked it down to malicious code via php utilizing built in wordpress scripts, but I do not recall which. All of my domlogs rotated too, so I could not track down what the malicious file was this time either. I just wanted to put it out there that the indoxploit attack took down a bunch of wordpress sites I host, even those that have BBQ installed and running.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Jeff Starr

    (@specialk)

    Sorry to hear about this, and thank you for reporting.

    Please understand that BBQ blocks bad requests only; it does not scan files for possible exploits. For that you can use an exploit scanner. So BBQ does protect against malicious HTTP requests, but it does not secure/resolve any existing vulnerabilities. There are many possible attack vectors for any website. BBQ protects one of them: HTTP requests.

    For this particular exploit, the attackers must have a way to upload the indoxploit files/scripts; it’s not possible to upload them directly via HTTP request, which again is what BBQ scans and protects (i.e., BBQ = Block Bad Queries).

    My best advice would be to determine how the exploit files were uploaded to your server; that would enable you to secure the vulnerability and prevent future occurrences. Here is an article with more infos that should help.

    Let me know if I can provide any further information, glad to help however possible.

    Thread Starter vivithemage

    (@vivithemage)

    Oh no, that I understand. Previously, it was using a good wordpress file, I just do not recall what, and never thought of where to report my findings. I run a web hosting company, so I run into these weird mass exploits in wordpress far too often. When I see a bunch of tickets with the same issue, related to WP, I know it’s most likely a problem with wordpress, and not a specific third party plugin, so I do some research and roll back to a restore point a day or two before the exploit.

    I just figured BBQ does a bit of blocking in this regard, so maybe it’d be helpful here. I’ll be able to tell you what the file is on the next round of exploit, as I was rotating access logs daily before, I changed it to retain now.

    I was also hoping to let others know that get hit with this, they aren’t the only one, haha. I am also sure the bastards who wrote this are probably going to read this :|.

    Plugin Author Jeff Starr

    (@specialk)

    Yes that would be very useful, if you can provide any of the following infos:

    – the name of any exploit file(s), e.g., indoxploit.php
    – any request URI(s) and/or query string(s) involved with the exploit

    That would enable me to add some matching pattern(s) to BBQ.

    Thank you and good luck.

    Thread Starter vivithemage

    (@vivithemage)

    Correct, last time I narrowed it down to something like this in the log, this obviously is not it, just an example entry:

    163.172.64.190 – – [27/Nov/2017:15:24:08 -0600] “GET /wp-includes/js/jquery/ui/core.min.js?ver=1.11.4 HTTP/1.1” 200 4000 “-” “Mozilla/5.0 (compatible; AhrefsBot/5.2; +https://ahrefs.com/robot/)”
    163.172.64.190 – – [27/Nov/2017:15:24:08 -0600] “GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 HTTP/1.1” 200 10056 “-” “Mozilla/5.0 (compatible; AhrefsBot/5.2; +https://ahrefs.com/robot/)”
    163.172.64.190 – – [27/Nov/2017:15:24:08 -0600] “GET /wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4 HTTP/1.1” 200 6908 “-” “Mozilla/5.0 (compatible; AhrefsBot/5.2; +https://ahrefs.com/robot/)”
    163.172.64.190 – – [27/Nov/2017:15:24:08 -0600] “GET /wp-includes/js/jquery/ui/effect.min.js?ver=1.11.4 HTTP/1.1” 200 13420 “-” “Mozilla/5.0 (compatible; AhrefsBot/5.2; +https://ahrefs.com/robot/)”

    Plugin Author Jeff Starr

    (@specialk)

    Yes that sort of info would be valuable in crafting some BBQ patterns. If you want to send the info privately, you can do so via my contact form.

    Thread Starter vivithemage

    (@vivithemage)

    Thanks Jeff, i’ll keep that in my pocket for the next wave.

    I’m experiencing indoxploit attack from several months, installed last time (16/11) bbq pro and other fix like malware scan of entire root

    Last one happened yesterday, two months later last exploit on 16/11

    i have only this log 

    
server-ip - - [01/Jan/2018:22:45:59 +0100] "GET //wp-admin/theme-install.php?upload HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"
server-ip  - - [01/Jan/2018:22:46:00 +0100] "GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.domain-name.com%2F%2Fwp-admin%2Ftheme-install.php%3Fupload&reauth=1 HTTP/1.1" 200 5924 "-" "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"
server-ip  - - [01/Jan/2018:22:46:01 +0100] "POST //wp-login.php HTTP/1.1" 200 4895 "-" "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"
server-ip  - - [01/Jan/2018:22:46:03 +0100] "POST //wp-admin/update.php?action=upload-theme HTTP/1.1" 302 - "-" "-"
server-ip - - [01/Jan/2018:22:46:04 +0100] "GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.domain-name.com%2F%2Fwp-admin%2Fupdate.php%3Faction%3Dupload-theme&reauth=1 HTTP/1.1" 200 4625 "-" "-"
server-ip  - - [01/Jan/2018:22:46:05 +0100] "POST //wp-content/uploads/2018/01/m.php HTTP/1.1" 404 35123 "-" "-"
server-ip  - - [01/Jan/2018:22:46:06 +0100] "GET //k.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"
server-ip  - - [01/Jan/2018:22:46:07 +0100] "GET /it//k.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"
server-ip  - - [01/Jan/2018:22:46:08 +0100] "GET /it/k.php HTTP/1.1" 404 35098 "-" "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"

    16/11 attack was the same

    I have also plugin security scanner, and wordfence free

    • This reply was modified 6 years, 11 months ago by robyone11.
    • This reply was modified 6 years, 11 months ago by robyone11.
    Plugin Author Jeff Starr

    (@specialk)

    Thanks for sharing this. I do not see where “indoxploit” is requested anywhere.. unless I am missing it?

    my english is terrible and my it skill are worse so probably i don’t get correctly your reply BUT

    my admin username changed to indoxploit like all time and i see in the log, as wordfence noticed me at same time, upload of strange files like m.php and k.php like 16/11 log

    probably indoxploit upload scripts ?

    Plugin Author Jeff Starr

    (@specialk)

    If the m.php and k.php (or whatever letter they are named) actually exist on the server, then your site has been compromised and is under attack. I would take steps to lock things down and secure your site asap. I wrote a guide that should help: Responding to a hacked website.

    As for whether or not the attack was “indoxploit”, that may the case, or there could be multiple attacks happening, and indoxploit is involved somehow. Proper investigation should reveal more information. Ask your host if you need help.

    • This reply was modified 6 years, 11 months ago by Jeff Starr. Reason: add info

    thank you!

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘BBQ did not catch latest Indoxploit (11/25)’ is closed to new replies.