LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-22-2016, 10:50 AM   #1
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Rep: Reputation: Disabled
Joomla.JCE.Extension.Remote.File.Upload attack


Hi,
I had an intrusion message generated by my firewall pointing to this

Message meets Alert condition
The following intrusion was observed:
msg="web_app: Joomla.JCE.Extension.Remote.File.Upload"
date=2016-05-22 time=16:49:34

Below is my httpd log which I extracted for that time frame.

Code:
74.91.20.195 - - [22/May/2016:16:05:19 +0800] "GET / HTTP/1.1" 200 30 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
218.161.6.169 - - [22/May/2016:16:49:27 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
218.161.6.169 - - [22/May/2016:16:49:44 +0800] "GET //images/stories/explore.gif HTTP/1.1" 404 224 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
218.161.6.169 - - [22/May/2016:16:49:45 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
218.161.6.169 - - [22/May/2016:16:50:01 +0800] "GET /myfolder//images/stories/explore.gif HTTP/1.1" 404 229 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
93.180.64.220 - - [22/May/2016:17:19:33 +0800] "GET /robots.txt HTTP/1.1" 200 26 "-" "Mozilla/5.0 (compatible; Plukkie/1.6; http://www.botje.com/plukkie.htm)"
177.86.163.216 - - [22/May/2016:17:24:53 +0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"
177.86.162.205 - - [22/May/2016:17:30:47 +0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"
I tried my end this Not Found

The requested URL /myfolder/images/stories/explore.gif it give me not found on this server. and even the log is 404?

Is there anything I should further on this attack ?
 
Old 05-23-2016, 07:06 AM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Joomla! version?
All addons up to date?

When I get tired of "404 abuse", I just use fail2ban and setup a 404 jail.
 
Old 05-23-2016, 10:15 AM   #3
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Hi Habitual,
Actually mine is not Joomla. I have written my own php codes.How to set jail for 404 in fail2ban?
 
Old 05-23-2016, 10:28 AM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by newbie14 View Post
How to set jail for 404 in fail2ban?
Do I really need to google that question for you?
Any experience with fail2ban?
Is it installed?
Seems to me that Remote.File.Upload would be rather "noisy" in the log files.
The above 404 doesn't indicate anything I'd worry about, unless you have some actual evidence
of Remote.File.Upload as the sample you've provided is rather thin.

I find it "interesting" that 218.161.6.169:
used 2 User-agents
"BOT/0.1 (BOT for JCE)" and "Firefox/3.6"
and does a
Code:
POST
GET
POST
GET
and seems to be centered on an explore.gif named file.
But doesn't know if it's in //images or ///myfolder//images ?
Is imgmanager "your code"?

Taiwan IP

Firefox 3.x is obsolete and I wouldn't allow such a client to connect anyway.
fail2ban would have caught that with a custom filter.
I routinely ban obsolete browsers.

I don't believe the issue at hand is /myfolder/images/stories/explore.gif
but that's my opinion. I believe the threat to be in POST actions, 404 or not.
I consider all POST actions from foreign IPs to be an aggressive posture, and I act accordingly.

Code:
218.161.6.169 - - [22/May/2016:16:49:45 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
See also http://blog.unmaskparasites.com/2014...n-of-jce-bots/
https://github.com/miniwark/miniwark...tup-for-Apache

Ask if you have any further questions about the info I've provided.
Have a Great Day!

Sorry to say it, but
Warning: You need fail2ban.

Last edited by Habitual; 05-28-2016 at 09:04 AM.
 
Old 05-24-2016, 12:53 AM   #5
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Hi Habitual,
I have fail2ban installed from day one ready but did not really tweak it much either. So I have done google on that too. I saw this https://nichteinschalten.de/en/apach...ail2ban-regex/. Is this good enough for to implement?

Quote:
The above 404 doesn't indicate anything I'd worry about, unless you have some actual evidence
of Remote.File.Upload as the sample you've provided is rather thin.
What else logs can I look into give me more details on this? Yes I have the folder images but no images/stories
Quote:
I consider all POST actions from foreign IPs to be an aggressive posture, and I act accordingly.
What do you mean on this meaning that can the post action drop virus or threat in any manner?

I learn some thing from the link you provided.
Quote:
Protect all file upload directories and all directories that shouldn’t contain .php files. For example, place the following .htaccess file there to prevent execution of PHP files:
<Files *.php> should I do this for all my folder where I store css, images, js etc?

deny from all

</Files>
 
Old 05-24-2016, 08:10 AM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by newbie14 View Post
Hi Habitual,
I have fail2ban installed from day one ready but did not really tweak it much either. So I have done google on that too. I saw this https://nichteinschalten.de/en/apach...ail2ban-regex/. Is this good enough for to implement?
I'm going to answer "no" on that link at this time. Installed "but did not really tweak" sounds like defaults to me!
We can work with that.
Let's not use the 't' word. Let's leave "tweaking" to the over-modifiers.
Right now, you need a basic and simple fail2ban "starter kit" and if you are committed to spending "some time" with it, you
can have a working defense in place. I used quote for "some time" as this unknown will depend on your skill level, how comfortable
you are on the command-line and not affected by too many things. Are you focused? Are you scared of the terminal/shell/console?

Quote:
Originally Posted by newbie14 View Post
What else logs can I look into give me more details on this? Yes I have the folder images but no images/stories
Oh boy, logs! Don't get me started. That is another Thread/blog
Consider section titled "Changing file permissions"
Yes, I realize you have custom Joomla! code and the link goes on about Wordpress.
Consider types valid.

Quote:
Originally Posted by newbie14 View Post
What do you mean on this meaning that can the post action drop virus or threat in any manner?
Consider what the POST Method does:
Quote:
The post method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line. Essentially this means that the POST data will be stored by the server and usually will be processed by a server side application.
[1]
Depending on what the site "does" this may be considered "actionable" and by that I mean to stress "It depends".
An e-commerce site may be perfectly acceptable situation to accept POST data.
Forums, clans, Minecraft.... you get the idea.

I don't have such a site.
No extraneous "users" or "editors" or "contributors" whatevs, just one power user (however labeled) and a secondary admin
who does not post, contribute, or edit any thing.

Quote:
Originally Posted by newbie14 View Post
I learn some thing from the link you provided.
Don't tell the boss.
fail2ban is kind of "my thing".

Yes, I have resources! Same as you! Consider my previous searches:
I started here - https://www.google.com/#q=fail2ban+s...gitalocean.com
https://www.google.com/#q=%22deny+fr...gitalocean.com
https://gggeek.github.io/phpxmlrpc/
https://hc.apache.org/httpclient-3.x/methods/post.html
https://www.wordfence.com/blog/2015/...-on-wordpress/

"deny from all" is another "layer" you can add to site defense.
Again, It's about "who's asking?" and "what" they are asking for?
Why would a foreign IP need to POST data to my site?

Can I see the POST data after the fact? Not that I've seen.

What does a "normal" browser session look like for your site? Peak and Off Peak hours?
Do I have Peak 'hours'?

You have to examine your logs.
You have to ask yourself what's normal for a session on your site, or even off of it (API 'hooks'?)

I am naturally a Type A personality and I've read, seen and cleaned enough http hosts.
And I certainly don't trust "error codes" from POST method without examining the traffic concerning it.

Consider this 403:
Code:
69.42.71.124 - - [22/May/2016:22:20:26 -0700] "POST /xmlrpc.php HTTP/1.1" 403 399 "-" "-"
Just one hit, right? WRONG. And exactly 1 hit.
One hit on xmlrpc.php is the policy. We don't allow that for reasons I have already stated.
Code:
grep xmlrpc.php /etc/fail2ban/filter.d/custom.conf
            ^<HOST> .* ".*?xmlrpc.php.*?"
Digitalocean has some great stuff.

Sorry for the long answer.
The short version died an untimely death.

Last edited by Habitual; 06-01-2016 at 12:41 PM.
 
1 members found this post helpful.
Old 05-24-2016, 11:42 AM   #7
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Habitual,
No issue with your long answer in fact I appreciate you took the effort to write a long n in depth answer. I am digesting them one by one. I am not scared of terminal and I am quite familiar will command lines not an issue either.

1. In my case I have this /var/www/html/myapplication? So should I change the file permission. The issue is that in on of it I need to upload images. So what best solution should I do. I have assign the owner to be apache for the whole the myapplication?

2. In my application off course I got form and I insert,update, delete data using the post method. So its possible for the hacker to send via post something into my folder or any other method?

3."deny from all" is another "layer" you can add to site defense.
Again, It's about "who's asking?" and "what" they are asking for?
Why would a foreign IP need to POST data to my site? I dont get you very clear on this?

4. Can I see the POST data after the fact? Not that I've seen. Are you asking my POST data ? My genuine post data is all my application related.

5. I dont really have a peak hour either.

6I am naturally a Type A personality and I've read, seen and cleaned enough http hosts.
And I certainly don't trust "error codes" from POST method without examining the traffic concerning it. I want to further build my skills on this too.

So moving next level looks like fail2ban is very powerful tool and I did not leverage much on it. So what is my next step you will suggest?
 
Old 05-24-2016, 11:58 AM   #8
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by newbie14 View Post
Are you asking my POST data ? My genuine post data is all my application related.
...
So moving next level looks like fail2ban is very powerful tool and I did not leverage much on it. So what is my next step you will suggest?
No, I am not asking for your POST data.
Yes, it is time to act.

You said it was installed. What OS are you utilizing on the server?
What version of fail2ban?
Issue
Code:
fail2ban-server -V | head -1
and let me know.

You never answered my question: Is imgmanager the extension in question?
If not, is imgmanager valid?

All directories should be 755 with a couple of exceptions, eg: cgi-bin type stuff
and an "Upload" directory too, I suppose.
All files should be 644 with even fewer expected exceptions
 
Old 05-24-2016, 12:06 PM   #9
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Habitual,
Ok my os is centos-release-6-7.el6.centos.12.3.x86_64. My fail2ban is Fail2Ban v0.9.3. Sorry I missed on imgmanager not its part of my codes either. I dont think so my php got folder got cgi-bin. Previously I read to change the ownership of all folder /var/www/html to apache is that correct to do that?
 
Old 05-24-2016, 12:20 PM   #10
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by newbie14 View Post
Dear Habitual,
Ok my os is centos-release-6-7.el6.centos.12.3.x86_64. My fail2ban is Fail2Ban v0.9.3. Sorry I missed on imgmanager not its part of my codes either. I dont think so my php got folder got cgi-bin. Previously I read to change the ownership of all folder /var/www/html to apache is that correct to do that?
I'm sorry, Yes, apache:apache for /var/www/html for everything and sub-directories is the usual on CentOS so:
Code:
sudo chown apache:apache -R /var/www/html/
no cgi-bin stuff? Good. fail2ban can monitor that also.

Verify your apache logs at /var/log/httpd/access.log and /var/log/httpd/error.log please.

One more favor:
Code:
grep explore.gif /var/log/http/access.log
and examine the output:
They all using Firefox 3.6 ?

BTW: The "time" on the firewall report may not coincide with date/time/zone on web host.
More logs, better rules.

Last edited by Habitual; 05-24-2016 at 12:30 PM.
 
Old 05-24-2016, 12:52 PM   #11
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Habitual,
I re ran this command now chown apache:apache -R /var/www/html/. Previously my robot.txt was root owner so now everything is apache. Actually cgi-bin is an old technology right why its still with php I am wondering ? Yes my logs are here /var/log/httpd/access_log and /var/log/httpd/error_log.

The results of the comand is here
Quote:
218.161.6.169 - - [22/May/2016:16:49:44 +0800] "GET //images/stories/explore.gif HTTP/1.1" 404 224 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
218.161.6.169 - - [22/May/2016:16:50:01 +0800] "GET /myfolder//images/stories/explore.gif HTTP/1.1" 404 229 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
10.212.134.200 - - [22/May/2016:23:48:10 +0800] "GET /myfolder/images/stories/explore.gif HTTP/1.1" 404 228 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
The last line I did my own test locally that is why its appearing chrome.
What are the more logs you need that can help?
 
Old 05-24-2016, 01:08 PM   #12
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
OK:
Here's where the rubber hits the road:
Create by editing /etc/fail2ban/filter.d/custom.conf
so,
Code:
vi /etc/fail2ban/filter.d/custom.conf
or
Code:
nano /etc/fail2ban/filter.d/custom.conf
whichever you prefer, or some other method
and insert
Code:
[Definition]

docroot = /var/www/html
failregex =  ^<HOST> .* ".*?plugin=imgmanager.*?"
             ^<HOST> .* ".*?POST /cgi-bin.*?"
             ^<HOST> .* ".*?POST /index.php?option=com_jce
             ^<HOST> .* ".*?stories.*?"
             ^<HOST> .* ".*?Firefox/3.6.*?"
ignoreregex =
Save and exit or exit with save...
then run
Code:
fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf
and you should see something similar to this output (I used your Opening post log for this and got 6 hits)
Code:
Results
=======

Failregex: 6 total
|- #) [# of hits] regular expression
|  1) [2] ^<HOST> .* ".*?plugin=imgmanager.*?"
|  3) [2] ^<HOST> .* ".*?stories.*?"
|  4) [2] ^<HOST> .* ".*?Firefox/3.6.*?"
`-

Ignoreregex: 0 total

Summary
=======

Addresses found:
[1]
    218.161.6.169 (Sun May 22 16:49:27 2016)
    218.161.6.169 (Sun May 22 16:49:45 2016)
[3]
    218.161.6.169 (Sun May 22 16:49:44 2016)
    218.161.6.169 (Sun May 22 16:50:01 2016)
[4]
    218.161.6.169 (Sun May 22 16:49:44 2016) (already matched)
    218.161.6.169 (Sun May 22 16:50:01 2016) (already matched)

Date template hits:
38 hit(s): Day/MONTH/Year:Hour:Minute:Second

Success, the total number of match is 6

However, look at the above section 'Running tests' which could contain important
information.
Let us know!

Last edited by Habitual; 05-24-2016 at 03:35 PM.
 
Old 05-24-2016, 01:26 PM   #13
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
https://duckduckgo.com/?q=20%266bc42...1246b5f&ia=web
is quite informative about this exploit.

It uploads a specially-crafted .gif and renames it to .php and it's backdoor shell.
p0wn3d.
 
Old 05-24-2016, 03:46 PM   #14
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Install the clamav package using
Code:
sudo yum install clamav
and then update the clam signatures:
Code:
sudo freshclam
then scan /var/www/html/ using
Code:
sudo clamscan -ir /var/www/html > /root/clam.rpt
Examine /root/clam.rpt with say
Code:
less /root/clam.rpt
It will be obvious in that file.
If it's empty, breathe a sigh of relief, but don't relax, ever.

clamav does not dis-infect any thing. but it is an excellent reporting tool.

Enjoy the Goodness!
 
Old 05-25-2016, 05:16 AM   #15
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Habitual,
I did accordingly. But my its does not tally with your results. I check the file is still there because with grep the results is there.

Quote:
fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf

Running tests
=============

Use failregex filter file : custom, basedir: /etc/fail2ban
Use log file : /var/log/httpd/access_log
Use encoding : UTF-8


Results
=======

Failregex: 5 total
|- #) [# of hits] regular expression
| 1) [2] ^<HOST> .* ".*?plugin=imgmanager.*?"
| 4) [3] ^<HOST> .* ".*?stories.*?"
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [15093] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 15093 lines, 0 ignored, 5 matched, 15088 missed [processed in 3.82 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 15088 lines
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Wordpress, Joomla domains under attack through jQuery JavaScript library LXer Syndicated Linux News 0 04-04-2016 10:21 PM
Install Java Cryptography Extension (JCE) in RHEL6 linuxmantra Linux - Newbie 5 06-06-2014 08:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration