Google DNS Exploit [SOLVED]  [SOLVED]

Locked
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

Google DNS Exploit [SOLVED]

Post by george »

Hi all,
upon checking my notification emails today - those sent by CSF (like fail2ban) - I noticed that one exploit appears to be launched from Google DNS IP: 8.8.8.8. I have searched online and not found much on this.

Here are the offending log entries:

Code: Select all

Time:     Fri Feb 21 05:22:33 2020 +1100
IP:       8.8.8.8 (US/United States/dns.google)
Failures: 10 (accessdenied)
Interval: 86400 seconds
Blocked:  Temporary Block for 86400 seconds [LF_CUSTOMTRIGGER]

Log entries:

8.8.8.8 - - [21/Feb/2020:05:19:48 +1100] "GET /wp-content/plugins/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 967 4036
8.8.8.8 - - [21/Feb/2020:05:20:02 +1100] "GET /wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=../../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 999 4036
8.8.8.8 - - [21/Feb/2020:05:20:14 +1100] "GET /wp-content/plugins/eshop-magic/download.php?file=../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 942 4036
8.8.8.8 - - [21/Feb/2020:05:20:25 +1100] "GET /wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 945 4036
8.8.8.8 - - [21/Feb/2020:05:21:15 +1100] "GET /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 975 4036
8.8.8.8 - - [21/Feb/2020:05:21:28 +1100] "GET /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 952 4036
8.8.8.8 - - [21/Feb/2020:05:21:40 +1100] "GET /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 948 4036
8.8.8.8 - - [21/Feb/2020:05:21:52 +1100] "GET /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 947 4036
8.8.8.8 - - [21/Feb/2020:05:22:17 +1100] "GET /wp-content/themes/felis/download.php?file=../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 926 4036
8.8.8.8 - - [21/Feb/2020:05:22:28 +1100] "GET /wp-content/force-download.php?file=../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 919 4036
This may be mitigated by only allowing port 53 connections from 8.8.8.8, but I would like a better understanding of how this exploit is possible.

Any ideas?

PS: My best guess at the moment, is that maybe one of the external nameservers suffered DNS cache poisoning?
Update: I am still looking into this, mainly to avoid such situations in future...
Last edited by george on Fri 21. Feb 2020, 22:06, edited 1 time in total.
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

Re: Google DNS Exploit [SOLVED]  [SOLVED]

Post by george »

This issue was mostly my fault. Playing with CSF, I recently decided to add the user access log into the mix, to try and catch more exploits. What I didn't realise is that some of the entries contain hostnames instead of IP address. I have now removed this log from CSF watching, and now stick to the more useful logs to monitor - including other_vhosts_access.log.

How was it done?

The php/wordpress exploits (which were ineffectual) appeared with the correct IP address in the other_vhosts_access.log before being redirected to the canonical https url; which is how it later appeared in user access log. In the user access log it appeared with "hostname" instead of IP. So what was the hostname?
8.8.8.8 of course!!!

This is the proper IP entry in latest notification email - notice the hostname appears after the country:

Code: Select all

IP: 151.236.57.247 (GB/United Kingdom/8.8.8.8)
Don't believe me? check for yourself. Enter in terminal:

Code: Select all

host 151.236.57.247
OUTPUT:
247.57.236.151.in-addr.arpa domain name pointer 8.8.8.8.
Locked