An unknown (to me) user-agent string : "site-check"

Forum Moderators: DixonJones

Message Too Old, No Replies

An unknown (to me) user-agent string : "site-check"

Bot, spambot?

Marino

10:35 pm on Jul 13, 2008 (gmt 0)

Hello all,

My web site has been hit by a something with "site-check" as unique user-agent string :

88.151.#*$!.32 - - [04/Jul/2008:06:53:30 +0200] "GET /FCKeditor.2.3.2/qzdobvbjf.html HTTP/1.1" 404 246 "-" "site-check"
88.151.#*$!.31 - - [04/Jul/2008:06:53:32 +0200] "GET /IMG/flv/swhndyyvg.html HTTP/1.1" 404 246 "-" "site-check"
88.151.#*$!.36 - - [04/Jul/2008:06:53:33 +0200] "GET /FCKeditor.2.3.2/editor/skins/ccpdouxfk.html HTTP/1.1" 404 246 "-" "site-check"
88.151.#*$!.31 - - [04/Jul/2008:06:53:33 +0200] "GET /IMG/distant/png/vgakproac.html HTTP/1.1" 404 246 "-" "site-check"

IPs range from 88.151.#*$!.30 to 88.151.#*$!.37 and asks for machine-generated page names.

Ever heard of this bot?

Marino

[edited by: Receptional at 2:52 pm (utc) on July 14, 2008]
[edit reason] Had to take out the specific IP numbers [/edit]

webdoctor

8:17 am on Jul 16, 2008 (gmt 0)

FCKeditor has had at least one [nvd.nist.gov] big security vulnerability recently ("upload and execute arbitrary code" - which doesn't sound good...)

My guess is that "site-check" is someone scanning your server to see if they can hack you...

Marino

12:45 pm on Jul 16, 2008 (gmt 0)

Good and pertinent answer: my site has been pirated, and many sub-dirs bears an extra .htaccess and some php pages on which I have no rights.

I'm currently cleaning this out with my hosting company.

Damn! Damn! Damn!

Marino

5:24 pm on Jul 16, 2008 (gmt 0)

For FCK Editor: I've plugged it on the CMS I use, and no one except me can get to the admin and use the text editor.

Do you think one can use fckeditor from outside a CMS? Yes!

That was nasty. Each subdir would bear a .htaccess like :

Options -MultiViews
ErrorDocument 404 //FCKeditor.2.3.2/time.php

... and two PHP files (I've inserted spaces into the "eval" and "base64_decode" commands):

If you wanna know what's hidden in this, jsut replace the "eval" commands with some "print_r" and run the code on your local server. Digging in the code, you will find 4 includes with base 64 again. Desobfuscating them, you will find :

<snip: code dump removed>

http://example.users.***removed***.ru/?.0
http://example.users.***removed***/?.1
http2://example.users.***removed***.ru/?.2
http2://example.users.***removed***.ru/?.3

Ok, ok, ok... Russian mafia, again...

Let's go on. Trying to use the fck editor, I've found that the directories to which I used to upload images were no more available. They all had been replaced by... alink. Digging in the code, I've found that :

[...]
<td nowrap="nowrap">
<span id="eUploadMessage">Upload a new file in this folder</span><br><a href="http://www.example.com/example/editors/example.html" class=giepoaytr>example</a>
[...]

Ok again, the ***example*** company seems to be a clean firm. I sent them a mail to ask for any explanations.

Keying in Google "example" (with the double quote) in Google, I've found other infected web sites. I sent a mail to the webmasters to warn them.

Well, now I have to (try to) know where is the fault, and how I can solve it.

[edited by: engine at 2:09 pm (utc) on July 17, 2008]
[edit reason] code dump removed, and examplified [/edit]

webdoctor

12:45 pm on Jul 17, 2008 (gmt 0)

IMHO there's no need to post the exploit code in full here - a brief description of what's involved would suffice.