Pages:
Author

Topic: Multiple YiiMP pools hacked, this is what we know so far.. - page 5. (Read 15741 times)

member
Activity: 121
Merit: 61
May be i'm totally wrong, but i think first we should check filtration of input parameters in yaamp/modules/site/wallet.php and other places where address parameter and $_COOKIE['wallets'] exists. For example, there is no checks of type of this parameter. Small example, if we pass an array in address argument:
Code:
https:///?address[]= 
We get Internal Server Error with message substr() expects parameter 1 to be string, array given. This is because getuserparam in libUtil.php doesn't check type of argument. Also this happens if we pass serialized array as address in wallets's cookie.
full member
Activity: 150
Merit: 100
caeruleum arca archa
Hoo boy. You all have your work cut out for you, good luck!

newbie
Activity: 16
Merit: 0
i've installed yiimp on local server using [nginx - php 7.1 - mariadb ]

ran a quick scan nd found many vulnerabilities and could allow an attacker to upload files to server.

Cross Site Scripting

GET /?address="%20src=-->">'>'"
GET /explorer/graph?id=/./
GET /site/./
GET /site/block_results?id=/./
GET /stats/./

HTTP PUT File Upload
PUT /PUT-putfile
"The HTTP PUT method was designed to allow HTTP clients to store resources on a HTTP server"

legendary
Activity: 2716
Merit: 1094
Black Belt Developer
Since it affects multiple web servers, it can either be a php vulnerability (but we would probably know about it already) or injection into insecure yiimp code.
I would for sure look into the latter, starting with those scripts reported.
member
Activity: 70
Merit: 10
Looks like there is ?address=%27 some reaction on ' symbol
maybe injection attack
member
Activity: 98
Merit: 10
So even my brand new server that I just setup yesterday, thats not even advertised yet was hit.

And of course tpruvot has issues disabled still on his github
full member
Activity: 192
Merit: 101
Grepping for that useragent results in this (along with some noise which I have omitted, requests to get javascript, images and css):

Code:
192.160.102.165 - - [08/Sep/2017:21:29:30 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:34 +0000] "GET /site/current_results HTTP/1.1" 200 968 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:34 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:42 +0000] "GET /?address= HTTP/1.1" 200 2570 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:43 +0000] "GET /site/current_results HTTP/1.1" 200 968 "http://kawaiipool.party/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:43 +0000] "GET /site/user_earning_results?address= HTTP/1.1" 200 31 "http://kawaiipool.party/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:30:00 +0000] "GET /?address= HTTP/1.1" 200 181 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

and later this:

Code:
51.15.40.233 - - [08/Sep/2017:21:31:07 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/current_results HTTP/1.1" 200 972 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
member
Activity: 121
Merit: 61
Interesting. Others affected also have /?address= GET request by attacker before get lds.php?
full member
Activity: 210
Merit: 100
AltMiner.Net | Low-Fee Pool | 2hr Payout
It looks like you can grep for "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" in your logfile, for me the attacker was the only person using this. I've filtered out all static content and see this in my logfile:

Code:
92.222.6.12 - - [08/Sep/2017:23:41:00 +0200] "GET / HTTP/1.1" 200 3703 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
Code:
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /?address= HTTP/1.1" 200 2898 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/current_results HTTP/1.1" 200 1152 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/history_results HTTP/1.1" 200 685 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/current_results HTTP/1.1" 200 1152 "https://altminer.net/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/user_earning_results?address= HTTP/1.1" 200 0 "https://altminer.net/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
Code:
92.222.6.12 - - [08/Sep/2017:23:41:42 +0200] "GET /?address= HTTP/1.1" 200 171 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
Code:
92.222.6.12 - - [08/Sep/2017:23:41:53 +0200] "GET /lds.php HTTP/1.1" 200 4893 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
Code:
144.217.240.34 - - [08/Sep/2017:23:56:59 +0200] "GET /?address= HTTP/1.1" 200 171 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
144.217.240.34 - - [08/Sep/2017:23:57:04 +0200] "GET /lds.php HTTP/1.1" 200 4907 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
144.217.240.34 - - [08/Sep/2017:23:57:27 +0200] "GET /lds.php?d HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Seperated by the different actions. Currently also no idea on how the file was uploaded.
sr. member
Activity: 420
Merit: 250
"Proof-of-Asset Protocol"
51.15.63.98 - - [08/Sep/2017:23:18:05 +0200] "GET /assets/lds.php HTTP/1.1" 200 9739 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.63.98 - - [08/Sep/2017:23:19:52 +0200] "GET /assets/lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

No idea how file uploaded.

(looks like all private keys on hacker now.
some transactions was few hours after hack )

full member
Activity: 210
Merit: 100
AltMiner.Net | Low-Fee Pool | 2hr Payout
use lighttpd and havent had any problems?

also lighttpd was affected. We are running nginx with apache - same issue.
full member
Activity: 210
Merit: 100
AltMiner.Net | Low-Fee Pool | 2hr Payout
We were also affected. I thought i've seen several POST request against the explorer urls before, but cannot find them anymore. I'm also really wondering how they got this file uploaded there Sad
member
Activity: 121
Merit: 61
I was found the following string in my web-server logs:
Code:
POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
That decodes too:
Code:
POST //cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n HTTP/1.1
But i don't know what is this: attempt to hack yiimp or a vulnerability scan. Seems just a vulnerability scan, i haven't php and cgi-bin dir on www.
hero member
Activity: 636
Merit: 516
i'd say most useful would be the commit of yiimp that you are running, httpd version (or package if installed this way), php module etc.
being able to upload anything directly to webroot indicates some fairly serious vuln..

most people running nginx here that were affected by this?

interesting; i ran vega (https://subgraph.com) against one of the yiimp pools i maintain for a client, and 'Possible HTTP PUT File Upload' is identified on the base URL for the pool. it gets particularly bad when you see this: https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/

could be wrong, but effectively allows attacker to upload a file, then call it (where it will run server side) effectively allowing them to do any number of things..
not sure if nginx is the issue here; i use lighttpd and havent had any problems?

james
sr. member
Activity: 346
Merit: 251
Do it right or don't do it at all.
the ip that hit minertopia : 176.193.113.124
he didn't use lds.php.. no traces of it.. will provide more info as soon as more is dug up
on another pool
171.25.193.78
198.245.60.8
185.170.42.18
member
Activity: 70
Merit: 10
Cannot find such, server apache, php 7
hero member
Activity: 636
Merit: 516
i'd say most useful would be the commit of yiimp that you are running, httpd version (or package if installed this way), php module etc.
being able to upload anything directly to webroot indicates some fairly serious vuln..

most people running nginx here that were affected by this?
full member
Activity: 298
Merit: 100
hashbag.cc
Same here.

185.170.42.18 - - [08/Sep/2017:21:15:56 +0000] "GET /lds.php HTTP/1.1" 200 3314 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101
185.170.42.18 - - [08/Sep/2017:21:16:47 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101
member
Activity: 120
Merit: 11
Timestamps are in UTC:

51.15.40.233 - - [08/Sep/2017:21:33:15 +0000] "GET /lds.php HTTP/1.1" 200 8972 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:37:43 +0000] "GET /lds.php?d HTTP/1.1" 200 237 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

[Fri Sep 08 21:33:15.698424 2017] [:error] [pid 24327] [client 51.15.40.233:19979] PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290
full member
Activity: 490
Merit: 100
Great share, hopefully will the community help we can indentify what exploits were used in YAAMP open source pools.
Pages:
Jump to: