Data Cha0s PHP script attempt
From: Kirby Angell (kangell_at_alertra.com)
Date: Fri, 01 Oct 2004 22:51:51 -0500 To: Incidents List <firstname.lastname@example.org>
-----BEGIN PGP SIGNED MESSAGE-----
Source IP: 184.108.40.206
Attack: PHP form variable include
Twice tonight our web server received URL requests like this:
The attack attempts to trick the uptime.php form into loading the given
URL through one of the form variables. Our forms are highly paranoid,
so that didn't work. Of interest though, if you haven't seen it (and I
hadn't) is the script they tried to download:
which isn't a JPG at all, but itself is a PHP page. I guess they
thought that our "pin" variable was used in an "include" statement. The
rogue PHP script does all sorts of interesting things such as, running
commands (as in the attack above), gathering intelligence, attempting
exploits, and setting up back doors.
The script is apparently not too recent. It won't work on any default
PHP install version 4.2 and above because it assumes the variables
passed to it will be converted to global variables (see:
http://www.php.net/manual/en/security.globals.php). Recent versions of
PHP no longer do this.
The attacking IP seems to be a radio station in Brazil. I have sent an
e-mail to them informing them that they are probably compromised.
I couldn't find much information about "lwp-trivial", but it seems to be
not good for anything but badness. I guess I'll have to look into
banning bots like this from our web server all together.
Get notified anytime your website goes down!
fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----