Acceleration: From DedeCms invasion by a large number of sfmb hacker gang

Intermediary trading SEO diagnostic Taobao guest hosting technology hall

In June 2013, DedeCMS's /plus/download.php file was exposed to high-risk variable coverage vulnerabilities that led to sites that use DedeCMS being easily crafted by hackers. Webshell (Note: Webshell is a website backdoor that can be used to Control server). Subsequently, a large number of underground hackers produced a complete set of automated attacks program, the entire Internet site for network attacks, the program will automatically submit the attack code, and then determine whether Webshell successfully implanted, accelerated data analysis Webshell showing the use of the vulnerability upload mainly for the following path:

/plus/90sec.php # from the 90sec security team.

/plus/e7xue.php # from the fate technology forum

/plus/sfmb.php # unknown? This article is to track the back door.

After knowing that Chuangyu Accelerator Security researchers found that these hacking attacks came from botnets all over the country and abroad, the source was rather complicated. After a period of follow-up, 3721.html "> In July 2014, Accel successfully positioned itself as a hacker gang (later mentioned sfmb) exploiting the vulnerability.

It is understood that since the loopholes were exposed, accelerated music every day to intercept the vulnerability scanning hundreds of thousands of times a day tens of thousands of sites are scanned, as of July this year, the attacks against the vulnerability has not diminished. As a result of this loophole, hackers successfully attacked countless websites. Only at the end of last year, accelerated music received more than 3,600 Web sites so hackers seek accelerated protection.

According to the vulnerability detection data of the web site of the security alliance website, more than 60% of websites that have used DedeCMS have been attacked successfully. After these websites are protected by the accelerated music, the acceleration platform intercepts and locates this Hacking attacks were carefully sorted out.

Accelerate the interception of this attack example

It is understood that creating a space to accelerate the security experts introduced In the acceleration of the rigorous analysis process, found /plus/sfmb.php This Webshell is very special, the loopholes involved are the use of code, the back door is highly customized form. Accelerated safety team tracking found that the hacker attacks have the following characteristics:

Attack source involves hundreds of IP addresses, covering all parts of the country, including Fujian, Zhejiang, Guangdong, Hunan, Jiangxi, Jiangsu and other places the most zombie IP from the coverage map can be seen on the attack, most hackers choose the more developed Provinces and cities, help to cover up identity;

The blue part is the main source of attack

According to the accelerated music safety research team analysis and in cooperation with some webmasters found "sfmb" string frequently appears in the Webshell path and Webshell password, acceleration music security experts preliminary guess that this may have a certain relationship with the hacker ID , So continue to the string in-depth analysis.

a. Through Baidu search, find some contain "sfmb" characters, linked to the black chain website:

b. The inserted code has an HTML comment code "", "sfmb" is the hacker ID or the organization code can be basically determined.

c. Then Acceleration music safety experts in the well-known Web site "Pig" to find this ID information, according to their pig reward reward records on the point, it involves spending money on DedeCMS 0day, custom "China Knife" similar tool Kinds of website back door), batch operation DedeCMS website and so on. Here, it has been possible to confirm that the source of the basic deterministic attack is this person, who has evolved into a stage in which a large group of people are invited to commit crimes.

Baidu included shows that the ID is a lot of money to make hacker tools

Browse Pig website, the hacker has modified id for hkesg

d. DedeCMS 0day zombie in determining the complete set of procedures is his money to ask people to do after the transaction records through the Pig, found it in the help information left personal QQ, to find his QQ, all the answers are solved . The location of its logo for foreign countries, perhaps for the virtual information, it may indeed be abroad.

e.

There is another QQ

Through the tracking of the hacker attacks found that hacker attacks have grown from individual combat to a large amount of money to hire others to assist in crime into a gang crime, mass invasion of underground black mode. Given the popularity of dedecms, great harm, it is worth site operators attention. Acceleration has now reported the situation of the hacker gang to the relevant state departments.