Joomla.JCE.Extension.Remote.File.Upload attack

newbie14 · 05-22-2016, 10:50 AM

Hi,
I had an intrusion message generated by my firewall pointing to this

Message meets Alert condition
The following intrusion was observed:
msg="web_app: Joomla.JCE.Extension.Remote.File.Upload"
date=2016-05-22 time=16:49:34

Below is my httpd log which I extracted for that time frame.

Code:

74.91.20.195 - - [22/May/2016:16:05:19 +0800] "GET / HTTP/1.1" 200 30 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
218.161.6.169 - - [22/May/2016:16:49:27 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
218.161.6.169 - - [22/May/2016:16:49:44 +0800] "GET //images/stories/explore.gif HTTP/1.1" 404 224 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
218.161.6.169 - - [22/May/2016:16:49:45 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
218.161.6.169 - - [22/May/2016:16:50:01 +0800] "GET /myfolder//images/stories/explore.gif HTTP/1.1" 404 229 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
93.180.64.220 - - [22/May/2016:17:19:33 +0800] "GET /robots.txt HTTP/1.1" 200 26 "-" "Mozilla/5.0 (compatible; Plukkie/1.6; http://www.botje.com/plukkie.htm)"
177.86.163.216 - - [22/May/2016:17:24:53 +0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"
177.86.162.205 - - [22/May/2016:17:30:47 +0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"

I tried my end this Not Found

The requested URL /myfolder/images/stories/explore.gif it give me not found on this server. and even the log is 404?

Is there anything I should further on this attack ?

Habitual · 05-23-2016, 07:06 AM

Joomla! version?
All addons up to date?

When I get tired of "404 abuse", I just use fail2ban and setup a 404 jail.

newbie14 · 05-23-2016, 10:15 AM

Hi Habitual,
Actually mine is not Joomla. I have written my own php codes.How to set jail for 404 in fail2ban?

Habitual · 05-23-2016, 10:28 AM

Quote:

Originally Posted by newbie14

How to set jail for 404 in fail2ban?

Do I really need to google that question for you?
Any experience with fail2ban?
Is it installed?
Seems to me that Remote.File.Upload would be rather "noisy" in the log files.
The above 404 doesn't indicate anything I'd worry about, unless you have some actual evidence
of Remote.File.Upload as the sample you've provided is rather thin.

I find it "interesting" that 218.161.6.169:
used 2 User-agents
"BOT/0.1 (BOT for JCE)" and "Firefox/3.6"
and does a

Code:

POST
GET
POST
GET

and seems to be centered on an explore.gif named file.
But doesn't know if it's in //images or ///myfolder//images ?
Is imgmanager "your code"?

Taiwan IP

Firefox 3.x is obsolete and I wouldn't allow such a client to connect anyway.
fail2ban would have caught that with a custom filter.
I routinely ban obsolete browsers.

I don't believe the issue at hand is /myfolder/images/stories/explore.gif
but that's my opinion. I believe the threat to be in POST actions, 404 or not.
I consider all POST actions from foreign IPs to be an aggressive posture, and I act accordingly.

Code:

218.161.6.169 - - [22/May/2016:16:49:45 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"

See also http://blog.unmaskparasites.com/2014...n-of-jce-bots/
https://github.com/miniwark/miniwark...tup-for-Apache

Ask if you have any further questions about the info I've provided.
Have a Great Day!

Sorry to say it, but

Warning: You need fail2ban.

newbie14 · 05-24-2016, 12:53 AM

Hi Habitual,
I have fail2ban installed from day one ready but did not really tweak it much either. So I have done google on that too. I saw this https://nichteinschalten.de/en/apach...ail2ban-regex/. Is this good enough for to implement?

Quote:

The above 404 doesn't indicate anything I'd worry about, unless you have some actual evidence
of Remote.File.Upload as the sample you've provided is rather thin.

What else logs can I look into give me more details on this? Yes I have the folder images but no images/stories

Quote:

I consider all POST actions from foreign IPs to be an aggressive posture, and I act accordingly.

What do you mean on this meaning that can the post action drop virus or threat in any manner?

I learn some thing from the link you provided.

Quote:

Protect all file upload directories and all directories that shouldn’t contain .php files. For example, place the following .htaccess file there to prevent execution of PHP files:
<Files *.php> should I do this for all my folder where I store css, images, js etc?

deny from all

</Files>

Habitual · 05-24-2016, 08:10 AM

Quote:

Originally Posted by newbie14

Hi Habitual,
I have fail2ban installed from day one ready but did not really tweak it much either. So I have done google on that too. I saw this https://nichteinschalten.de/en/apach...ail2ban-regex/. Is this good enough for to implement?

I'm going to answer "no" on that link at this time. Installed "but did not really tweak" sounds like defaults to me!
We can work with that.
Let's not use the 't' word. Let's leave "tweaking" to the over-modifiers.
Right now, you need a basic and simple fail2ban "starter kit" and if you are committed to spending "some time" with it, you
can have a working defense in place. I used quote for "some time" as this unknown will depend on your skill level, how comfortable
you are on the command-line and not affected by too many things. Are you focused? Are you scared of the terminal/shell/console?

Quote:

Originally Posted by newbie14

What else logs can I look into give me more details on this? Yes I have the folder images but no images/stories

Oh boy, logs! Don't get me started.

That is another Thread/blog
Consider section titled "Changing file permissions"
Yes, I realize you have custom Joomla! code and the link goes on about Wordpress.
Consider types valid.

Quote:

Originally Posted by newbie14

What do you mean on this meaning that can the post action drop virus or threat in any manner?

Consider what the POST Method does:

Quote:

The post method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line. Essentially this means that the POST data will be stored by the server and usually will be processed by a server side application.

[1]
Depending on what the site "does" this may be considered "actionable" and by that I mean to stress "It depends".
An e-commerce site may be perfectly acceptable situation to accept POST data.
Forums, clans, Minecraft.... you get the idea.

I don't have such a site.
No extraneous "users" or "editors" or "contributors" whatevs, just one power user (however labeled) and a secondary admin
who does not post, contribute, or edit any thing.

Quote:

Originally Posted by newbie14

I learn some thing from the link you provided.

Don't tell the boss.

fail2ban is kind of "my thing".

Yes, I have resources! Same as you! Consider my previous searches:
I started here - https://www.google.com/#q=fail2ban+s...gitalocean.com
https://www.google.com/#q=%22deny+fr...gitalocean.com
https://gggeek.github.io/phpxmlrpc/
https://hc.apache.org/httpclient-3.x/methods/post.html
https://www.wordfence.com/blog/2015/...-on-wordpress/

"deny from all" is another "layer" you can add to site defense.
Again, It's about "who's asking?" and "what" they are asking for?
Why would a foreign IP need to POST data to my site?

Can I see the POST data after the fact? Not that I've seen.

What does a "normal" browser session look like for your site? Peak and Off Peak hours?
Do I have Peak 'hours'?

You have to examine your logs.
You have to ask yourself what's normal for a session on your site, or even off of it (API 'hooks'?)

I am naturally a Type A personality and I've read, seen and cleaned enough http hosts.
And I certainly don't trust "error codes" from POST method without examining the traffic concerning it.

Consider this 403:

Code:

69.42.71.124 - - [22/May/2016:22:20:26 -0700] "POST /xmlrpc.php HTTP/1.1" 403 399 "-" "-"

Just one hit, right? WRONG. And exactly 1 hit.
One hit on xmlrpc.php is the policy. We don't allow that for reasons I have already stated.

Code:

grep xmlrpc.php /etc/fail2ban/filter.d/custom.conf
            ^<HOST> .* ".*?xmlrpc.php.*?"

Digitalocean has some great stuff.

Sorry for the long answer.
The short version died an untimely death.

newbie14 · 05-24-2016, 11:42 AM

Dear Habitual,
No issue with your long answer in fact I appreciate you took the effort to write a long n in depth answer. I am digesting them one by one. I am not scared of terminal and I am quite familiar will command lines not an issue either.

1. In my case I have this /var/www/html/myapplication? So should I change the file permission. The issue is that in on of it I need to upload images. So what best solution should I do. I have assign the owner to be apache for the whole the myapplication?

2. In my application off course I got form and I insert,update, delete data using the post method. So its possible for the hacker to send via post something into my folder or any other method?

3."deny from all" is another "layer" you can add to site defense.
Again, It's about "who's asking?" and "what" they are asking for?
Why would a foreign IP need to POST data to my site? I dont get you very clear on this?

4. Can I see the POST data after the fact? Not that I've seen. Are you asking my POST data ? My genuine post data is all my application related.

5. I dont really have a peak hour either.

6I am naturally a Type A personality and I've read, seen and cleaned enough http hosts.
And I certainly don't trust "error codes" from POST method without examining the traffic concerning it. I want to further build my skills on this too.

So moving next level looks like fail2ban is very powerful tool and I did not leverage much on it. So what is my next step you will suggest?

Habitual · 05-24-2016, 11:58 AM

Quote:

Originally Posted by newbie14

Are you asking my POST data ? My genuine post data is all my application related.
...
So moving next level looks like fail2ban is very powerful tool and I did not leverage much on it. So what is my next step you will suggest?

No, I am not asking for your POST data.
Yes, it is time to act.

You said it was installed. What OS are you utilizing on the server?
What version of fail2ban?
Issue

Code:

fail2ban-server -V | head -1

and let me know.

You never answered my question: Is imgmanager the extension in question?
If not, is imgmanager valid?

All directories should be 755 with a couple of exceptions, eg: cgi-bin type stuff
and an "Upload" directory too, I suppose.
All files should be 644 with even fewer expected exceptions

newbie14 · 05-24-2016, 12:06 PM

Dear Habitual,
Ok my os is centos-release-6-7.el6.centos.12.3.x86_64. My fail2ban is Fail2Ban v0.9.3. Sorry I missed on imgmanager not its part of my codes either. I dont think so my php got folder got cgi-bin. Previously I read to change the ownership of all folder /var/www/html to apache is that correct to do that?

Habitual · 05-24-2016, 12:20 PM

Quote:

Originally Posted by newbie14

Dear Habitual,
Ok my os is centos-release-6-7.el6.centos.12.3.x86_64. My fail2ban is Fail2Ban v0.9.3. Sorry I missed on imgmanager not its part of my codes either. I dont think so my php got folder got cgi-bin. Previously I read to change the ownership of all folder /var/www/html to apache is that correct to do that?

I'm sorry, Yes, apache:apache for /var/www/html for everything and sub-directories is the usual on CentOS so:

Code:

sudo chown apache:apache -R /var/www/html/

no cgi-bin stuff? Good. fail2ban can monitor that also.

Verify your apache logs at /var/log/httpd/access.log and /var/log/httpd/error.log please.

One more favor:

Code:

grep explore.gif /var/log/http/access.log

and examine the output:
They all using Firefox 3.6 ?

BTW: The "time" on the firewall report may not coincide with date/time/zone on web host.
More logs, better rules.

newbie14 · 05-24-2016, 12:52 PM

Dear Habitual,
I re ran this command now chown apache:apache -R /var/www/html/. Previously my robot.txt was root owner so now everything is apache. Actually cgi-bin is an old technology right why its still with php I am wondering ? Yes my logs are here /var/log/httpd/access_log and /var/log/httpd/error_log.

The results of the comand is here

Quote:

218.161.6.169 - - [22/May/2016:16:49:44 +0800] "GET //images/stories/explore.gif HTTP/1.1" 404 224 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
218.161.6.169 - - [22/May/2016:16:50:01 +0800] "GET /myfolder//images/stories/explore.gif HTTP/1.1" 404 229 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
10.212.134.200 - - [22/May/2016:23:48:10 +0800] "GET /myfolder/images/stories/explore.gif HTTP/1.1" 404 228 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"

The last line I did my own test locally that is why its appearing chrome.
What are the more logs you need that can help?

Habitual · 05-24-2016, 01:08 PM

OK:
Here's where the rubber hits the road:
Create by editing /etc/fail2ban/filter.d/custom.conf
so,

Code:

vi /etc/fail2ban/filter.d/custom.conf

or

Code:

nano /etc/fail2ban/filter.d/custom.conf

whichever you prefer, or some other method
and insert

Code:

[Definition]

docroot = /var/www/html
failregex =  ^<HOST> .* ".*?plugin=imgmanager.*?"
             ^<HOST> .* ".*?POST /cgi-bin.*?"
             ^<HOST> .* ".*?POST /index.php?option=com_jce
             ^<HOST> .* ".*?stories.*?"
             ^<HOST> .* ".*?Firefox/3.6.*?"
ignoreregex =

Save and exit or exit with save...
then run

Code:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf

and you should see something similar to this output (I used your Opening post log for this and got 6 hits)

Code:

Results
=======

Failregex: 6 total
|- #) [# of hits] regular expression
|  1) [2] ^<HOST> .* ".*?plugin=imgmanager.*?"
|  3) [2] ^<HOST> .* ".*?stories.*?"
|  4) [2] ^<HOST> .* ".*?Firefox/3.6.*?"
`-

Ignoreregex: 0 total

Summary
=======

Addresses found:
[1]
    218.161.6.169 (Sun May 22 16:49:27 2016)
    218.161.6.169 (Sun May 22 16:49:45 2016)
[3]
    218.161.6.169 (Sun May 22 16:49:44 2016)
    218.161.6.169 (Sun May 22 16:50:01 2016)
[4]
    218.161.6.169 (Sun May 22 16:49:44 2016) (already matched)
    218.161.6.169 (Sun May 22 16:50:01 2016) (already matched)

Date template hits:
38 hit(s): Day/MONTH/Year:Hour:Minute:Second

Success, the total number of match is 6

However, look at the above section 'Running tests' which could contain important
information.

Let us know!

Habitual · 05-24-2016, 01:26 PM

https://duckduckgo.com/?q=20%266bc42...1246b5f&ia=web
is quite informative about this exploit.

It uploads a specially-crafted .gif and renames it to .php and it's backdoor shell.
p0wn3d.

Habitual · 05-24-2016, 03:46 PM

Install the clamav package using

Code:

sudo yum install clamav

and then update the clam signatures:

Code:

sudo freshclam

then scan /var/www/html/ using

Code:

sudo clamscan -ir /var/www/html > /root/clam.rpt

Examine /root/clam.rpt with say

Code:

less /root/clam.rpt

It will be obvious in that file.
If it's empty, breathe a sigh of relief, but don't relax, ever.

clamav does not dis-infect any thing. but it is an excellent reporting tool.

Enjoy the Goodness!

newbie14 · 05-25-2016, 05:16 AM

Dear Habitual,
I did accordingly. But my its does not tally with your results. I check the file is still there because with grep the results is there.

Quote:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf

Running tests
=============

Use failregex filter file : custom, basedir: /etc/fail2ban
Use log file : /var/log/httpd/access_log
Use encoding : UTF-8

Results
=======

Failregex: 5 total
|- #) [# of hits] regular expression
| 1) [2] ^<HOST> .* ".*?plugin=imgmanager.*?"
| 4) [3] ^<HOST> .* ".*?stories.*?"
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [15093] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 15093 lines, 0 ignored, 5 matched, 15088 missed [processed in 3.82 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 15088 lines