Interesting PHP Attack Making The Rounds….

Uncle AndrewUncle Andrew
Filed under: @ 11:26 pm

Those of you who run or maintain Web servers probably already know about this, but it doesn’t hurt to Google it up a bit with another post on the subject.

A while back I cribbed a php script from somewhere online and futzed around with it until I had a little file that would continuously generate an HTML-based record of my visitors: IP address, host name, date, time referrer and OS/browser. (I take no credit for this whatsoever, save for the ability to cut and paste other people’s shit together until it more or less works.) It’s faster and easer than checking the actual IIS logs or generating a complete report, and can be checked from completely outside the firewall without a lot of dangerous port forwarding or tedious VPN.

About three weeks ago I began to notice some interesting hits in my access log. These hits always start with the main address of my blog but end with a regular page identifier (“?p=”, as in, “please take me to page number….”), then a long URL for any of a number of directories on various sites in Russia. It looked really suspicious. At first I took it to be some sort of trackback spam or “sping“. However, my software is pretty good at trashing these sorts of intrusions, and anyway these didn’t include a referrer, which is the usual SOP for trackback spammers. After switching to my Mac and donning my +10 Tor Helmet of Anonymity, I visited one of these sites. I was immediately presented with a screen full of gibberish, a text file containing some dense and (to me) unreadable code. I was getting a little paranoid.

After noodling around for what seemed like hours I found some answers online, courtesy of some folks much smarter than myself on a New Zealand PHP user BBS. The page of gibberish, once deobfuscated, appears to be a remote file include attack; an attempt to get my server to access and execute a piece of code from a remote computer. In this case, the code happens to be an IRC client. The client would then link up with a group of IRC hosts and set up to exchange files with them, presumably more exploits that would turn my computer into a zombie, using it as a staging ground for attacks on other servers. Pretty cute.

Fortunately a few different aspects of my setup–including but not limited to a lack of this sort of vulnerability in recent versions of WordPress–kept this attack from having any effect on my system, nor those of most relatively well-maintained servers. But the exploit is obviously making headway somewhere, because the number and variety of these hits in my access log is increasing. And I’m seeing a lot more chatter online about it as well….considerably more than I found when I was doing my initial search.

It seems for the moment that my system is (reasonably) safe (from this particular attack [knock phenolic resin]). But like I said in the beginning of this, the more people who write about this sort of thing, the greater the overall awareness. Knowledge is power. And power corrupts. Therefore….um….knowledge corrupts. But not as much as a corrupted server. Pass it on. :mrgreen:

Leave a Reply

All comments containing hyperlinks are held for approval, so don't worry if your comment doesn't show up immediately. (I'm not editing for content, just weeding out the more obvious comment spam.)

All portions of this site are © Andrew Lenzer, all rights reserved, unless otherwise noted.