Fake WordPress Plugins

Over the last two days I have seen an increasing number of fake Wordress plugins which are actually not plugins but PHP scripts that attempt to join a botnet that is currently being used for DDoS attacks. So far the only common link I can see on all sites is that they are old vulnerable versions of WordPress. The two new ones I have seen that are common to all sites are ‘likebtn-like-button’ and ‘tell-a-friend’. If you find either of these folders in the ‘wp-content/plugins/’ folder you may be participating in DDoS attacks unknowingly.

Inside the ‘tell-a-friend’ folder there are 7 files uploaded, every site I checked that had these had the same content in these files:

  • button.gif – A like button to make it look legit I guess?
  • File.ext – A 2 byte file, appears to just be a single carriage return.
  • readme.txt – A read me file, I assume to also make this plugin look legit.
  • 4 PHP files with randomly generated names – no two were the same from the ones I found. Names where ones such as ‘z3tObCSwdg8Cd.php’, ‘zaLv7ZUnV.php’, ‘zNAnajFKekMM.php’, ‘zxIORPpHro.php’. All 4 files were exactly the same. Similar versions of these files were last seen a couple of months ago.

Inside the ‘likebtn-like-button’ folder there are 3 files uploaded:

  • index.php – No content displayed to browsers, contains single comment “Silence is golden.”
  • likebtn_like_button.php – WSO Shell 2.5. If you browse to this in a browser it is protected with the password ‘hashpsa’ (md5 is used in the file, the original hash is “c56ff4ccbccfa528e268998428f0a380”).
  • likebtn-like-button-readme.txt – A readme file, perhaps to look the plugin look legit.

The PHP files in the ‘tell-a-friend’ directory are the ones that connect to the botnet. Here is a simple step through of what it does:

The first part of the script starts off by making sure it will run on both PHP 4 and 5 and then killing any existing processes off. Notice the killall in this case is killing all instances of ‘host’ due to the basename function. If you check the process listing you will see this process appears to run as ‘/usr/bin/host’.

The script checks to see if /usr/bin/host is readable using fopen (rb is read binary) and if it is checks to see which system the binary is compiled for. IF it is FreeBSD extra objects are loaded (the bot appears to support threading) and if /etc/rc.local doesn’t exist it is created (empty). I assume this should not be created on most systems as the user the PHP script is running as should not have the correct privileges.

A check is done to determine if the script has been executed by the web server or if the script is running via the command line ($_SERVER is passed by the web server to the script with details of the request). If it is running via the web server the variable $AU is set to the server address in the format like domain.com/wp-content/plugins/tell-a-friend/zsEh2Kxjng.php.

If the script is running via the command line or some other method and it is being run as the user root (uid 0) it writes a copy of itself to the current working directory and adds itself to the files “/etc/rc.d/rc.local”, “/etc/rc.local” and “/etc/rc.d/rc.local” so that it starts on boot. This should never happen normally unless you execute it manually for some reason.

This is the shared object that is loaded when host is executed below. A test is done to determine if the 32 bit or 64 bit object is loaded. If I get some spare time this weekend I will have a closer look at this – this is the part of the bot that does all the work.

The architecture is tested and the appropriate shared object is dumped to the file libworker.so.

I believe the botnet uses the Google public DNS server (8.8.8.8) to communicate over UDP port 53. If you do not use this DNS server in your servers resolv.conf blocking UDP port 53 to it is recommended. You can do this with iptables easily:

iptables -I OUTPUT -p udp -d 8.8.8.8 --dport 53 -j DROP

I have some packet captures of the traffic, I will edit this post a bit later with examples.

Posted in Web and tagged , , , , , , .

3 Comments

  1. Thanks alot for posting this article. I work as a systems administrator and found /usr/bin/host running under the apache user, when I looked into system calls being down for that command, I came across this code, and googled it. You’re post is the only thing that’s helpful. I truly appreciate your work on this.

  2. Pingback: Backdoor:PHP/Shell.N - ovidiugabriel.net

Leave a Reply

Your email address will not be published.