A rather funny situation came out at work, once again after checking the incidents in the SIEM, the next scanning event was discovered. Some weird host from Brazil again scanned us for all sorts of vulnerabilities. It was lazy to write another abuz, I decided to see what kind of host and what can be done with it.
Immediately the first thing turned to the service 2ip and tried to find out what was hanging out there, what domain, but there did not give anything interesting. I started nmap and ran through the ports, and also scanned the directories, also nothing special, but the direct access to the server threw us into the dashboard of the XAMPP web server and there were links to different docks, guides, and ... phpMyAdmin
To my surprise, the MySQL database with hanging phpMyAdmin was not password protected, then there was already a technical matter. In addition to the database of utilities, we found a phpinfo file that reported to us the location of the dashboard in xampp and, accordingly, all the necessary paths to load the web went.
The next step is to check the login to the admin area, but as I wrote above, the root password was not set there and for this reason we had full access. Perhaps, during the installation (or after installation, when setting up the database), for some reason, instead of the local host, access to the database was made for the entire Internet. I assume that the root user was not assigned a password with the expectation that the base will be available only locally.
Because of this misstep, someone climbed onto the server to these guys and began to perform automated scans of random systems on the Internet for vulnerabilities, including our email and something else.
Well, lets continue our simple quest and go to the database:
As you can see - there is all access, then it remains only to show a flight of fantasy. As you know, web servers on Windows machines work as a system user, but this is already known. We just need to load the web shell and then stop scanning our infrastructure (for good - cut out all the malware, for the bad - just block our IPs on the internal firewall).
Load the web shell through the MySQL database using the INTO OUTFILE command:
Shell code itself:
<HTML> <BODY> <FORM METHOD = 'GET' NAME = 'myform' ACTION = ''>
<INPUT TYPE = 'text' NAME = 'cmd'> <INPUT TYPE = 'submit' VALUE = 'Send'> </ FORM>
<pre> <? php if ($ _ GET ['cmd']) {system ($ _ GET ['cmd']); }?>
</ pre> </ BODY> </ HTML>
Actually, this is probably all, further actions are quite expected. From the web shell we only needed to access the server in order to add a user, place it in the local administrators group and connect to the server via RDP.
So, this is not the less tricky way for one scanner of our infrastructure from the Internet. There were also thoughts to place a miner there, but the exhaust would be minimal and it was not worth it. As a bonus, I deleted other web shells from the server, I did not hang up the database password, because there, apart from the root user, there were no others, and it was likely that some application that worked with this database could have crashed.
When performing all the manipulations, only attackers who had hacked this server earlier suffered - their backdoors were removed.
Top comments (0)