Joomla.JCE.Extension.Remote.File.Upload attack

newbie14 · 05-25-2016, 05:35 AM

Dear Habitual,
I had issue with clam installation I managed ready to install n update. Lucky its empty the file results. So should I leave the clamav or uninstall it ?

Habitual · 05-25-2016, 05:59 AM

Quote:

Originally Posted by newbie14

Dear Habitual,
I did accordingly. But my its does not tally with your results. I check the file is still there because with grep the results is there.

I got 6 hits and you got 5.
It's a good day!

Quote:

| 1) [2] ^<HOST> .* ".*?plugin=imgmanager.*?"
| 4) [3] ^<HOST> .* ".*?stories.*?"
...
Lines: 15093 lines, 0 ignored, 5 matched

Quote:

Originally Posted by newbie14

So should I leave the clamav or uninstall it ?

I'd leave it.

Habitual · 05-25-2016, 09:06 AM

Now we have to enable a jail.
I have a suggestion that may be different from the "norm" (who "me"?)
I suggest one additional jail and call it [custom]

I also highly advise you make a copy of /etc/fail2ban/jail.conf using

Code:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and Only edit your enabled jails in /etc/fail2ban/jail.local
This file will not be overwritten if an upgrade were to occur.

Here's a custom jail you can try:

Code:

[custom]
enabled  = true
port     = any
filter   = custom
action   = iptables-allports[name=custom, port="any", protocol=tcp]
logpath  = /var/log/httpd/access_log
backend  = polling
maxretry = 1
bantime  = -1
findtime = 600

Save and exit, or exit with save.

Now create the filter we'll use in the [custom] jail by editing /etc/fail2ban/filter.d/custom.conf
This file will not be overwritten if an upgrade were to occur.
and verify

Code:

[Definition]

docroot = /var/www/html
failregex =  ^<HOST> .* ".*?plugin=imgmanager.*?"
             ^<HOST> .* ".*?POST /cgi-bin.*?"
             ^<HOST> .* ".*?POST /index.php?option=com_jce
             ^<HOST> .* ".*?stories.*?"
             ^<HOST> .* ".*?Firefox/3.6.*?"
ignoreregex =

Save and exit, or exit with save.

Test:

Code:

fail2ban-regex  /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf

Save your current rules and restart the fail2ban with the new custom jail:

Code:

sudo iptables-save > /root/saved.rules && sudo service fail2ban restart

Restored the saved rules:

Code:

iptables-restore < /root/saved.rules

Test fail2ban-client + regex:

Code:

fail2ban-client get custom failregex

You should now be protected from these irritants.

Verify the ssh jail also is enabled in /etc/fail2ban/jail.local

Have Fun!

newbie14 · 05-26-2016, 10:58 PM

Dear Habitual,
How to see this Summary

Quote:

=======

Addresses found:
[1]
218.161.6.169 (Sun May 22 16:49:27 2016)
218.161.6.169 (Sun May 22 16:49:45 2016)
[3]----

In my results?

I have been googling I dont get much on the jail concept? Is it seggration.

Habitual · 05-27-2016, 06:34 AM

Quote:

Originally Posted by newbie14

Dear Habitual,
How to see this Summary

In my results?

I have been googling I dont get much on the jail concept? Is it seggration.

Don't know.
I use Fail2Ban v0.8.10 and the output is different in later versions.

Try a manual run on a smaller sample.
Save this:

Code:

74.91.20.195 - - [22/May/2016:16:05:19 +0800] "GET / HTTP/1.1" 200 30 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
218.161.6.169 - - [22/May/2016:16:49:27 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
218.161.6.169 - - [22/May/2016:16:49:44 +0800] "GET //images/stories/explore.gif HTTP/1.1" 404 224 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
218.161.6.169 - - [22/May/2016:16:49:45 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
218.161.6.169 - - [22/May/2016:16:50:01 +0800] "GET /myfolder//images/stories/explore.gif HTTP/1.1" 404 229 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
93.180.64.220 - - [22/May/2016:17:19:33 +0800] "GET /robots.txt HTTP/1.1" 200 26 "-" "Mozilla/5.0 (compatible; Plukkie/1.6; http://www.botje.com/plukkie.htm)"
177.86.163.216 - - [22/May/2016:17:24:53 +0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"
177.86.162.205 - - [22/May/2016:17:30:47 +0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"

as say /root/xyz2

or

Code:

grep "index.php?option=com_jce" /var/log/apache2/access.log >> /root/xyz2

and then run the manual test using:

Code:

fail2ban-regex  /root/xyz2  /etc/fail2ban/filter.d/custom.conf

Habitual · 05-27-2016, 01:01 PM

If you care to try the same version I have, all is well.
Simply open a terminal, and issue:

Code:

cd /usr/src/
wget http://launchpadlibrarian.net/143972108/fail2ban_0.8.10-3_all.deb
sudo apt-get remove --purge fail2ban
sudo dpkg -i /usr/src/fail2ban_0.8.10-3_all.deb

The install should fire the service up and have a look at

Code:

fail2ban-client status

Now run the manual test again, and see if the output suits your tastes.

Code:

fail2ban-regex  /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf

If you wish to keep this version of fai2ban:

Code:

sudo apt-mark hold fail2ban

Now is the perfect time to examine what happens on when you uninstall fail2ban:
/etc/fail2ban/filter.d/custom.conf and /etc/fail2ban/jail.local will be all that is left from an uninstall.

Good Luck.

Habitual · 05-28-2016, 09:16 AM

Quote:

Originally Posted by Habitual

I don't believe the issue at hand is /myfolder/images/stories/explore.gif
but that's my opinion.

Yet, again, I would be wrong when I said that. (before I found the actual exploit)
The exploit shows a 0day.gif being uploaded, renamed to 0day.php and then open a remote shell.
0day.gif may not be the the "messenger" here (/var/log/httpd/access_log would tell)
but the /images/stories is in the exploit, so "close enough" that I'd ban now and ask WTF later.

Add the old-as-dirt Firefox 3.6 User-agent and I'd say you have your exploit pretty well identified.
And knowing the payload, maybe you can write code into your existing stuff to dismiss this activity
as an additional layer to fail2ban.

Good Luck.

newbie14 · 05-28-2016, 11:18 AM

Dear Habitual,
Thank you for the link to install and unisntall but I am using centos and I read long time ago that centos provide only the stable version of the software and discourage in doing manual install or uninstall. So what you suggest then to leave with the current version?

Habitual · 05-28-2016, 01:05 PM

Quote:

Originally Posted by newbie14

I am using centos and I read long time ago that centos provide only the stable version of the software and discourage in doing manual install or uninstall. So what you suggest then to leave with the current version?

Leave it.

Please review https://sucuri.net/website-security/...ort-2016Q1.pdf

Is fail2ban banning?
If you enabled it and restarted the service in any way, you should be able to issue:

Code:

fail2ban-client status custom

and see some encouraging results.

I don't know what CentOS recommends, but all OSs will have similar recommendations,
for the inexperienced.

Defaults are good.

All that apt-get, apt-mark stuff you can use another time on an Ubuntu host.

Have a Good Holiday Weekend!