Whois Abdull Karem and why are they scanning?

As of this morning (10/19/2015), I’m seeing similar activity in my logs too. I see GETs of:

/index.php
/wp-content/plugins/hello.php
/wp-admin/index.php
/wp-content/plugins/index.php
/wp-content/themes/index.php
/wp-content/index.php

all coming from IP address 83.247.10.226, which is in the Netherlands.

Peace…

based off the postings above, it seems like this might be an openly available script similar to a common Joomla plugin exploit script that Hmei7 (aka Indonesia Defacer) developed a year or two ago, so anyone is able to use it which allows unauthorized read/write/delete access if successful.

Keep your security protocols and defense measures up to date everyone! I’m glad people can post logs of people attempting and not succeeding, it means were ahead of the game in that aspect.

I see this one every day, hundreds if not thousands of times.

First off, it’s a distributed attacker. Generally, they all track back to various “instant” could service style hosting companies that allow you to open an account with nothing more than an email and a working credit card. My guess is the guy buys (cheaply) a pack of stolen credit cards, and has a bot that goes out and sets up the servers to scan for vulnerable wordpress installs.

What are they looking for? The request string I see is:

‘450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1’

What they are actually trying to access is WSO.PHP or SHWSO.PHP – which are a webshell commonly used by hackers. What this guy (or guys) are trying to do is locate wordpress installs that have already been compromised. Possibly they are blindly tossing a file at the server using a known exploit / upload problem, and then coming back to see if it worked or not.

Recommended is that you can your wordpress directories for wso.php and shwso.php – delete if you find them, and assume you have a security issue and work to change passwords and update any stale code.

@another Guy

That’s precisely how it’s done from what I read on security blogs and forums I frequent, staying ontop of this is at the utmost importance and information like that is highly valuable for security of all WordPress websites.

I have noticed this scan hitting a lot of URIs on many sites on my network.

Some may have malware, others are just being scanned from what I can tell.

I am using a ModSecurity rule to drop this traffic with a TCP reset, which I created for a user on the cPanel forums;

SecRule QUERY_STRING "abdullkarem" "drop,id:28946"

@alex Kay

Great simple solution, will recommend to others should I see the problem arise apart from people talking about here.

Cheers.

I was to target by this basic queries.

after banning and reporting the abuse to the infected machine hosting company,

i looked for any file hit from ip that had the http code 200.

fortunately, all were 404, 301 or 302.

i suggest you do the same.

It’s not a very effective exploit, but for those who aren’t updated with best security it’s a risk.

This isn’t an exploit. Abdull is a political figure in the middle east. So you all add his name to your mod_sec rules, no news about him can be served by your webservers. This is a clever trick, not meant to damage your sites, but get you to exclude the name.

Just make sure you block the IPs and not the string for these kinds of attack, and only after sufficient attempts.

Unixguru’s right, I think. We also suspect the same:
https://bitninja.io/2015/10/26/abdullkarem-attack/

Not blocking the attack is dangerous for your servers, as the volume of the attacks are sometimes quite high (attackers use hacked websites to proxy the attacks so resources are cheap for them). But if you just block the string ‘abdullkarem’ you help the attackers.

The plot thickens!

This is seriously interesting people go this far to block things out like that, political figures or not, piqued my interest.

Thanks for the info.

“So you all add his name to your mod_sec rules, no news about him can be served by your webservers.”

This is completely incorrect with the rule I suggested.

The rule I suggested only stops incoming requests that contain the string AFTER the question mark (?) in the request line.

So, outbound pages containing “abdullkarem” will serve fine. Requests for a page like site.com/abdullkarem.html would serve fine.

All that would be blocked is a request like:

site.com/something.php?abdullkarem

I do not feel like this is “helping” the hackers at all. However, if you want to be transparent, you could change the drop command to deny,status:404 and the requests would just be denied with a forced 404 response no matter what (even if the target file did exist).

i think the point of the attack was to push sysadmins to detect the attack, and starting banning the string.

You might not have even an article about abdul, but, if the blocks sits at large CDN, then it is effective.

If it’s blocked carelessly, then certainly it can be an effective tactic. This is why you should have skilled people create your WAF rules to restrict strings only in certain contexts, or with extra conditions that must be met.