Multiple YiiMP pools hacked, this is what we know so far.. - page 5.

Decker

member

Activity: 121

Merit: 61

May be i'm totally wrong, but i think first we should check filtration of input parameters in yaamp/modules/site/wallet.php and other places where address parameter and $_COOKIE['wallets'] exists. For example, there is no checks of type of this parameter. Small example, if we pass an array in address argument:

Code:

https:///?address[]=

We get Internal Server Error with message substr() expects parameter 1 to be string, array given. This is because getuserparam in libUtil.php doesn't check type of argument. Also this happens if we pass serialized array as address in wallets's cookie.

bluebox

full member

Activity: 150

Merit: 100

caeruleum arca archa

Hoo boy. You all have your work cut out for you, good luck!

MajedPro

newbie

Activity: 16

Merit: 0

i've installed yiimp on local server using [nginx - php 7.1 - mariadb ]

ran a quick scan nd found many vulnerabilities and could allow an attacker to upload files to server.

Cross Site Scripting

GET /?address="%20src=-->">'>'"
GET /explorer/graph?id=/./
GET /site/./
GET /site/block_results?id=/./
GET /stats/./

HTTP PUT File Upload
PUT /PUT-putfile
"The HTTP PUT method was designed to allow HTTP clients to store resources on a HTTP server"

pallas

legendary

Activity: 2716

Merit: 1094

Black Belt Developer

Since it affects multiple web servers, it can either be a php vulnerability (but we would probably know about it already) or injection into insecure yiimp code.
I would for sure look into the latter, starting with those scripts reported.

magnatum

member

Activity: 70

Merit: 10

Looks like there is ?address=%27 some reaction on ' symbol
maybe injection attack

crombiecrunch

member

Activity: 98

Merit: 10

So even my brand new server that I just setup yesterday, thats not even advertised yet was hit.

And of course tpruvot has issues disabled still on his github

kawaiicrypto

full member

Activity: 192

Merit: 101

Grepping for that useragent results in this (along with some noise which I have omitted, requests to get javascript, images and css):

Code:

192.160.102.165 - - [08/Sep/2017:21:29:30 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:34 +0000] "GET /site/current_results HTTP/1.1" 200 968 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:34 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:42 +0000] "GET /?address= HTTP/1.1" 200 2570 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:43 +0000] "GET /site/current_results HTTP/1.1" 200 968 "http://kawaiipool.party/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:43 +0000] "GET /site/user_earning_results?address= HTTP/1.1" 200 31 "http://kawaiipool.party/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:30:00 +0000] "GET /?address= HTTP/1.1" 200 181 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

and later this:

Code:

51.15.40.233 - - [08/Sep/2017:21:31:07 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/current_results HTTP/1.1" 200 972 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

Decker

member

Activity: 121

Merit: 61

Interesting. Others affected also have /?address= GET request by attacker before get lds.php?

AltMiner.net

full member

Activity: 210

Merit: 100

AltMiner.Net | Low-Fee Pool | 2hr Payout

It looks like you can grep for "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" in your logfile, for me the attacker was the only person using this. I've filtered out all static content and see this in my logfile:

Code:

92.222.6.12 - - [08/Sep/2017:23:41:00 +0200] "GET / HTTP/1.1" 200 3703 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Code:

92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /?address= HTTP/1.1" 200 2898 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/current_results HTTP/1.1" 200 1152 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/history_results HTTP/1.1" 200 685 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/current_results HTTP/1.1" 200 1152 "https://altminer.net/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/user_earning_results?address= HTTP/1.1" 200 0 "https://altminer.net/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Code:

92.222.6.12 - - [08/Sep/2017:23:41:42 +0200] "GET /?address= HTTP/1.1" 200 171 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Code:

92.222.6.12 - - [08/Sep/2017:23:41:53 +0200] "GET /lds.php HTTP/1.1" 200 4893 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Code:

144.217.240.34 - - [08/Sep/2017:23:56:59 +0200] "GET /?address= HTTP/1.1" 200 171 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
144.217.240.34 - - [08/Sep/2017:23:57:04 +0200] "GET /lds.php HTTP/1.1" 200 4907 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
144.217.240.34 - - [08/Sep/2017:23:57:27 +0200] "GET /lds.php?d HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Seperated by the different actions. Currently also no idea on how the file was uploaded.

ex_mac

sr. member

Activity: 420

Merit: 250

"Proof-of-Asset Protocol"

51.15.63.98 - - [08/Sep/2017:23:18:05 +0200] "GET /assets/lds.php HTTP/1.1" 200 9739 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.63.98 - - [08/Sep/2017:23:19:52 +0200] "GET /assets/lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

No idea how file uploaded.

(looks like all private keys on hacker now.
some transactions was few hours after hack )

AltMiner.net

full member

Activity: 210

Merit: 100

AltMiner.Net | Low-Fee Pool | 2hr Payout

Quote from: barrysty1e on September 09, 2017, 06:58:55 AM

use lighttpd and havent had any problems?

also lighttpd was affected. We are running nginx with apache - same issue.

AltMiner.net

full member

Activity: 210

Merit: 100

AltMiner.Net | Low-Fee Pool | 2hr Payout

We were also affected. I thought i've seen several POST request against the explorer urls before, but cannot find them anymore. I'm also really wondering how they got this file uploaded there Sad

Decker

member

Activity: 121

Merit: 61

I was found the following string in my web-server logs:

Code:

POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1

That decodes too:

Code:

POST //cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n HTTP/1.1

But i don't know what is this: attempt to hack yiimp or a vulnerability scan. Seems just a vulnerability scan, i haven't php and cgi-bin dir on www.

barrysty1e

hero member

Activity: 636

Merit: 516

Quote from: barrysty1e on September 09, 2017, 06:10:26 AM

i'd say most useful would be the commit of yiimp that you are running, httpd version (or package if installed this way), php module etc.
being able to upload anything directly to webroot indicates some fairly serious vuln..

most people running nginx here that were affected by this?

interesting; i ran vega (https://subgraph.com) against one of the yiimp pools i maintain for a client, and 'Possible HTTP PUT File Upload' is identified on the base URL for the pool. it gets particularly bad when you see this: https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/

could be wrong, but effectively allows attacker to upload a file, then call it (where it will run server side) effectively allowing them to do any number of things..
not sure if nginx is the issue here; i use lighttpd and havent had any problems?

james

BBoBB

sr. member

Activity: 346

Merit: 251

Do it right or don't do it at all.

the ip that hit minertopia : 176.193.113.124
he didn't use lds.php.. no traces of it.. will provide more info as soon as more is dug up
on another pool
171.25.193.78
198.245.60.8
185.170.42.18

magnatum

member

Activity: 70

Merit: 10

Cannot find such, server apache, php 7

barrysty1e

hero member

Activity: 636

Merit: 516

i'd say most useful would be the commit of yiimp that you are running, httpd version (or package if installed this way), php module etc.
being able to upload anything directly to webroot indicates some fairly serious vuln..

most people running nginx here that were affected by this?

enkayz

full member

Activity: 298

Merit: 100

hashbag.cc

Same here.

185.170.42.18 - - [08/Sep/2017:21:15:56 +0000] "GET /lds.php HTTP/1.1" 200 3314 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101
185.170.42.18 - - [08/Sep/2017:21:16:47 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101

hashrefinery

member

Activity: 120

Merit: 11

Timestamps are in UTC:

51.15.40.233 - - [08/Sep/2017:21:33:15 +0000] "GET /lds.php HTTP/1.1" 200 8972 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:37:43 +0000] "GET /lds.php?d HTTP/1.1" 200 237 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

[Fri Sep 08 21:33:15.698424 2017] [:error] [pid 24327] [client 51.15.40.233:19979] PHP Notice: Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290

Supercoiner111

full member

Activity: 490

Merit: 100

Great share, hopefully will the community help we can indentify what exploits were used in YAAMP open source pools.

Topic: Multiple YiiMP pools hacked, this is what we know so far.. - page 5. (Read 15725 times)