Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Strange & Random GET PHP Queries InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Strange & Random GET PHP Queries

Published: 2015-01-18
Last Updated: 2015-01-18 23:36:09 UTC
by Guy Bruneau (Version: 1)
2 comment(s)

Over the past few months, I have been observing strange web queries against my honeypot where the pattern is always the same, a combination of two letters but each instance using two different letters. The pattern starts with pair of two letters, then three by dropping the last letter and last ending with the remainder 2 letters. Here are some examples:

/ewew/ewe/ew.php
/fcfc/fcf/fc.php
/bpbp/bpb/bp.php
/wcwc/wcw/wc.php
/ovov/ovo/ov.php

I have also been regularly getting requests for the Linksys CGI script /tmUnblock.cgi  (GET/POST) associated with "TheMoon" Linksys worm [1], Wordpress login /wp-login.php [2], Coldfusion administrator page /CFIDE/administrator as well a multitude of other stuff listed below.

/cgi-bin/test-cgi
/user/soapCaller.bs
/admin.php
/MyAdmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/pma/scripts/setup.php
/a2billing/customer/javascript/misc.js

This last example is URL encoded:

/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

Which equate to: [3]

-d allow_url_include=on %2Dd safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redi%72ect=0 -d cgi.redirect_status_env=0 -n

[1] https://isc.sans.edu/forums/diary/More+Details+About+TheMoon+Linksys+Worm/17669
[2] https://isc.sans.edu/forums/diary/Strange+wordpress+login+patterns/19191/
[3] http://www.asciitohex.com

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords:
2 comment(s)
Diary Archives