9th Nov 10:30 AM – A penetration test via the TOR network
An attempt to find vulnerable plugins running on the Irrawaddy.org site is detected. The attempt is carried out via the TOR network. The attacker scans the themes and plugins folder, and checked for theme/plugin version in the mandatory changelog.txt file.
184.108.40.206 - - [09/Nov/2015:11:28:19 -0500] "GET /wp-content/themes/linepress/changelog.txt HTTP/1.1" 404 41775 220.127.116.11 - - [09/Nov/2015:11:28:27 -0500] "GET /wp-content/plugins/ajax-the-views/changelog.txt HTTP/1.1" 404 41775 18.104.22.168 - - [09/Nov/2015:11:28:33 -0500] "GET /wp-content/plugins/i-recommend-this/changelog.txt HTTP/1.1" 404 41775 22.214.171.124 - - [09/Nov/2015:11:29:03 -0500] "GET /wp-content/plugins/listic-slider/changelog.txt HTTP/1.1" 404 41775 126.96.36.199 - - [09/Nov/2015:11:29:20 -0500] "GET /wp-content/plugins/meenews/changelog.txt HTTP/1.1" 404 41775 188.8.131.52 - - [09/Nov/2015:11:29:28 -0500] "GET /wp-content/plugins/meteor-slides/changelog.txt HTTP/1.1" 404 41775 184.108.40.206 - - [09/Nov/2015:11:29:36 -0500] "GET /wp-content/plugins/nextgen-gallery/changelog.txt HTTP/1.1" 200 72641
9th Nov 2015 – 11 AM Tracking social media
After securing the compromised websites we focus our efforts on better understanding the online presence of UOH.
The Union of Hacktivists has a Facebook group since April 2015.
The last statement, dated the 9th of November reads “Be careful that your behavior does not damage the country”. In Burmese: သင့္အျပဳအမူေၾကာင့္ တိုင္းျပည္မနစ္နာပါေစနဲ႕
A list of defacements performed by the group includes:
http://www.yatanarpon.com.mm/uoh.html 18th of October
http://www.shwefmradio.com/uoh.html 14th October
http://www.mmsdromfinder.com/uoh.html 14th October
http://www.mmstd.com/news/view/5543/?lang=my 12th October
http://burma.irrawaddy.org/index.html 9th October
http://www.nldchairperson.com 4th August (Not confirmed)
Other hacked sites include:
11th Nov 4:30 AM – The attacker tries to gain access during elections!
We receive an alarm from our monitor script. The attacker has tried to retrieve the Irrawaddy.org website credentials from the log file (log.txt), this time from IP address 220.127.116.11.
burma.irrawaddy.org:18.104.22.168 - - [11/Nov/2015:00:25:11 -0500] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" burma.irrawaddy.org:22.214.171.124 - "" [11/Nov/2015:00:25:28 -0500] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
In a sequence of transactions, the attacker tries to find out if any of the other backdoors are still active.
bur.irrawaddy.org:126.96.36.199 [11/Nov/2015:00:31:01] "GET /Backup/noob.php" bur.irrawaddy.org:188.8.131.52 [11/Nov/2015:00:31:08] "GET //Backup/noob.php" bur.irrawaddy.org:184.108.40.206 [11/Nov/2015:00:31:22] "GET /administrator/index.php" bur.irrawaddy.org:220.127.116.11 [11/Nov/2015:00:31:46] "GET /index.php" bur.irrawaddy.org:18.104.22.168 [11/Nov/2015:00:36:17] "GET /index.php?option=com_user&view=login" bur.irrawaddy.org:22.214.171.124 [11/Nov/2015:00:36:31] "POST /index.php/component/user/" bur.irrawaddy.org:126.96.36.199 [11/Nov/2015:00:36:32] "GET /index.php" bur.irrawaddy.org:188.8.131.52 [11/Nov/2015:00:37:16] "GET /index.php" bur.irrawaddy.org:184.108.40.206 [11/Nov/2015:00:37:16] "POST /index.php/component/user/" burma.irrawaddy.org:220.127.116.11 [11/Nov/2015:00:25:45] "GET /phpinfo.php?1=" burma.irrawaddy.org:18.104.22.168 [11/Nov/2015:00:25:57] "GET /phpinfo.php" burma.irrawaddy.org:22.214.171.124 [11/Nov/2015:00:28:08] "GET /fix.php?1=ls" burma.irrawaddy.org:126.96.36.199 [11/Nov/2015:00:28:34] "GET /content/index.php?1=ls" burma.irrawaddy.org:188.8.131.52 [11/Nov/2015:00:29:51] "GET /wp-content/wp-cache-config.php" burma.irrawaddy.org:184.108.40.206 [11/Nov/2015:00:29:55] "GET /wp-content/wp-cache-config.php?1=ls" burma.irrawaddy.org:220.127.116.11 [11/Nov/2015:00:29:59] "GET /wp-content/wp-cache-config.php?1=ls%20-al" burma.irrawaddy.org:18.104.22.168 [11/Nov/2015:00:30:12] "GET /wp-includes/http.php" burma.irrawaddy.org:22.214.171.124 [11/Nov/2015:00:30:16] "GET /wp-includes/http.php?1=ls" election-bur.irrawaddy.org:126.96.36.199 [11/Nov/2015:00:32:50] "GET /index.php?option=com_user&view=login" election-bur.irrawaddy.org:188.8.131.52 [11/Nov/2015:00:33:18] "GET /index.php" election-bur.irrawaddy.org:184.108.40.206 [11/Nov/2015:00:33:18] "POST /index.php?option=com_user" election-bur.irrawaddy.org:220.127.116.11 [11/Nov/2015:00:36:00] "GET /index.php?option=com_user&view=login" election.irrawaddy.org:18.104.22.168 [11/Nov/2015:00:34:02] "GET /index.php" election.irrawaddy.org:22.214.171.124 [11/Nov/2015:00:34:25] "GET /index.php?option=com_user&view=login" election.irrawaddy.org:126.96.36.199 [11/Nov/2015:00:34:36] "GET /index.php" burma.irrawaddy.org:188.8.131.52 [11/Nov/2015:00:34:51] "GET /test.php" burma.irrawaddy.org:184.108.40.206 [11/Nov/2015:00:35:30] "GET /wp-content/wp-polls/polls-logs.php" burma.irrawaddy.org:220.127.116.11 [11/Nov/2015:00:35:41] "GET /wp-content/plugins/wp-polls/polls-logs.php" burma.irrawaddy.org:18.104.22.168 [11/Nov/2015:00:35:44] "GET /wp-content/plugins/wp-polls/polls-logs.php?1=ls" burma.irrawaddy.org:22.214.171.124 [11/Nov/2015:00:39:40] "GET /wp-login.php" burma.irrawaddy.org:126.96.36.199 [11/Nov/2015:00:40:26] "POST /wp-login.php" burma.irrawaddy.org:188.8.131.52 [11/Nov/2015:00:46:00] "GET /wp-login.php" burma.irrawaddy.org:184.108.40.206 [11/Nov/2015:00:46:44] "GET /wp-login.php" burma.irrawaddy.org:220.127.116.11 [11/Nov/2015:00:47:00] "POST /wp-login.php"
12th Nov 15 PM – Show is over
As a result of our intervention, the Irrawaddy’s news sites have worked flawlessly during the election period. During the past 7 days, the following actions have been taken to secure the infrastructure of Irrawaddy:
- Received credentials from the affected organization
- Identified Cloudflare mitigation bypass methods
- Identified Origin server
- Reviewed the existing plugins and its vulnerabilities
- Identified malicious activity in two servers and several backdoors
- Removed backdoors and installed an alert system to track when the intruders were trying to access the server again.
- Disabled PHP functions that could be exploited by the attackers
- Reset all passwords from main CMSs
- Enforced files system attributes to deny file access to critical part of the CMSs
- Identified a new vulnerability scan via the TOR network
- Communicated the results of our findings to the Irrawaddy team on a daily basis.
The attackers are now aware of our existence and interventions, as they have noticed that their backdoors have been blocked. We are now closing this Rapid Response case.