Record of a campaign to install Simple SOCKS5 Server for Perl on a WordPress honey pot.
% Information related to '91.109.16.0/20AS28753'
route: 91.109.16.0/20
descr: routed via LeaseWeb DE
origin: AS28753
mnt-by: LEASEWEB-DE-MNT
created: 2015-06-04T13:17:40Z
last-modified: 2015-10-22T11:11:34Z
geoiplookup agrees, this IP address has a location somewhere in Germany.
The attacker tried to access a URI /wp-content/themes/twentytwelve/data.php
with HTTP POST parameters named "a", "c", "p1", "p2".
Given those parameter names, and the values taken on,
it's pretty clear that the attacker(s) believed they invoked a WSO web shell
at that URI.
The attacker(s) attempted to install a file named sss.pl via a sequence of commands to a WSO (Web Shell by oRb) web shell.
Based on the fine-grained timestamp that PHP keeps as $_SERVER['REQUEST_TIME_FLOAT'],
I reconstructed the timeline of actions.
The table following lists values of "a", "c", "p1", "p2", "p3"
HTTP POST parameters (if present), in chronological order.
| Timestamp | a | c | p1 | p2 | p3 |
|---|---|---|---|---|---|
| 2018-07-26T12:41:17.701-0600 | |||||
| 2018-07-26T12:41:18.326-0600 | FilesTools | /var/www/html/ | sss.pl | mkfile | |
| 2018-07-26T12:41:18.848-0600 | FilesTools | /var/www/html/ | sss.pl | chmod | 0755 |
| 2018-07-26T12:41:19.331-0600 | FilesTools | /var/www/html/ | sss.pl | chmod | |
| 2018-07-26T12:41:19.877-0600 | FilesTools | /var/www/html/ | sss.pl | chmod | 0744 |
| 2018-07-26T12:41:20.433-0600 | FilesTools | /var/www/html/ | sss.pl | edit | entire Simple SOCKS Server code |
| 2018-07-26T12:41:21.063-0600 | FilesMan | /var/www/html/ | delete | ||
| 2018-07-26T12:41:21.558-0600 | FilesTools | /var/www/html/ | touch | ||
| 2018-07-26T12:41:22.071-0600 | FilesMan | /var/www/html/ | uploadFile | ||
| 2018-07-26T12:41:22.453-0600 | FilesTools | /var/www/html/ | sss.plHgkTAo | chmod | 0444 |
| 2018-07-26T12:41:22.956-0600 | FilesTools | /var/www/html/ | touch | ||
| 2018-07-26T12:41:23.405-0600 | FilesTools | /var/www/html/ | . | touch | |
| 2018-07-26T12:41:23.947-0600 | FilesTools | /var/www/html/ | .. | touch | |
| 2018-07-26T12:41:24.417-0600 | FilesTools | /var/www/html/ | sss.plHgkTAo | touch | |
| 2018-07-26T12:41:24.892-0600 | FilesTools | /var/www/html/sss.plHgkTAo | chmod | ||
| 2018-07-26T12:41:25.466-0600 | FilesTools | /var/www/html/ | sss.plHgkTAo | rename | sss.pl |
| 2018-07-26T12:41:25.946-0600 | FilesTools | /var/www/html/ | sss.pl | chmod | 0444 |
| 2018-07-26T12:41:29.415-0600 | FilesTools | /var/www/html/sss.pl | chmod |
Using WSO 2.5 source code, and the values of HTTP parameters, it's possible to reconstruct what commands the attacker(s) ran, and recover some of their intent.
| Timestamp | Note |
|---|---|
| 2018-07-26T12:41:17.701-0600 | WSO login - set logged-in cookie |
| 2018-07-26T12:41:18.326-0600 | create zero-length file /var/www/html/sss.pl |
| 2018-07-26T12:41:18.848-0600 | change permissions of /var/www/html/sss.pl to rwxr-xr-x |
| 2018-07-26T12:41:19.331-0600 | set "p3" value for later use? |
| 2018-07-26T12:41:19.877-0600 | change permissions of /var/www/html/sss.pl to rwxr--r-- |
| 2018-07-26T12:41:20.433-0600 | put Simple SOCKS server code into /var/www/html/sss.pl |
| 2018-07-26T12:41:21.063-0600 | delete file /var/www/html/sss.pl |
| 2018-07-26T12:41:21.558-0600 | not sure what this does without a file name |
| 2018-07-26T12:41:22.071-0600 | use HTTP's file upload to create file named sss.plHgkTAo |
| 2018-07-26T12:41:22.453-0600 | change permissions on /var/www/html/sss.plHgkTAo to r--r--r--, readonly for everyone |
| 2018-07-26T12:41:22.956-0600 | not sure what this does without a file name |
| 2018-07-26T12:41:23.405-0600 | looks like it wants to change last accessed time of directory /var/www/html, but it would fail |
| 2018-07-26T12:41:23.947-0600 | looks like it wants to change last accessed time of directory /var/www, but that would fail, too |
| 2018-07-26T12:41:24.417-0600 | looks like it wants to change last accessed time of file /var/www/html/sss.plHgkTAo |
| 2018-07-26T12:41:24.892-0600 | wants to change permissions on /var/www/html/sss.plHgkTAo, but gives no desired permissions. |
| 2018-07-26T12:41:25.466-0600 | renamed /var/www/html/sss.plHgkTAo to /var/www/htmlo/sss.pl |
| 2018-07-26T12:41:25.946-0600 | change permissions of /var/www/html/sss.pl to r--r--r-- (read only) |
| 2018-07-26T12:41:29.415-0600 | try to change permissions of /var/www/html/sss.pl, but fails because no desired permissions given |
I don't see an attempt to access sss.pl at any later date.
I interpret this as an attempt to get a file sss.pl in some place in the
putatively compromised system running WordPress that is remotely accessible.
The attacker tries to upload a file using WSO's file editing capability,
which seems a little roundabout.
My WSO honey pot does not put a file name in its listing via the "edit",
so the attacker does not get any confirmation that the edited file exists.
This triggers an attempt to delete the file,
and then an upload of the file via HTTP file upload,
and WSO's interface to that.
My WSO honey pot does show "uploaded" file's names in FilesMan output,
so the attacker believes the file exists on the compromised WordPress host.
I guess that my WSO honey pot does not display the desired file permissions
that a real WSO would give an uploaded file,
so the attacker attempts to remedy this.
Incorrectly trying to set access times and file permissions has me
a little puzzled. Why bother? Is this an attempt to disguise the uploaded
sss.pl file visually?
| Timestamp | Elapsed time |
|---|---|
| 2018-07-26T12:41:18.326-0600 | 0.625 |
| 2018-07-26T12:41:18.848-0600 | 0.521 |
| 2018-07-26T12:41:19.331-0600 | 0.483 |
| 2018-07-26T12:41:19.877-0600 | 0.546 |
| 2018-07-26T12:41:20.433-0600 | 0.556 |
| 2018-07-26T12:41:21.063-0600 | 0.631 |
| 2018-07-26T12:41:21.558-0600 | 0.494 |
| 2018-07-26T12:41:22.071-0600 | 0.513 |
| 2018-07-26T12:41:22.453-0600 | 0.382 |
| 2018-07-26T12:41:22.956-0600 | 0.503 |
| 2018-07-26T12:41:23.405-0600 | 0.45 |
| 2018-07-26T12:41:23.947-0600 | 0.542 |
| 2018-07-26T12:41:24.417-0600 | 0.47 |
| 2018-07-26T12:41:24.892-0600 | 0.475 |
| 2018-07-26T12:41:25.466-0600 | 0.573 |
| 2018-07-26T12:41:25.946-0600 | 0.48 |
| 2018-07-26T12:41:29.415-0600 | 3.47 |
The commands arrive less than a second apart, which would seem to indicate that the attack was automated, except maybe the very last command. I don't think that 3.5 seconds is enough to have a browser render HTML, scroll past irrelevant parts, and comprehend the output.
All accesses have a user agent string of "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" Opera seems to support scripting through the "Tampermonkey" extension. It's entirely possible that this is scripted through an Opera browser.
I have 46279 access with that user agent in my Apache logs, from 2014-07-28 01:35:20-06 to 2018-07-05 06:53:49-06. 91.109.19.24 has access my web server 1635 times with that user agent, so this is a small campaign in a larger stratigy of evil.