Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Hello Peppa! - PHP Scans - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hello Peppa! - PHP Scans

In the last few days (27 June on), my honeypot collected from various sources the same eight PHP POST to these scripts. Here are the eight scripts it attempts to post to:

20180629-132704: 192.168.25.2:80-47.96.42.91:3216 data "POST /wuwu11.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132704: 192.168.25.2:80-47.96.42.91:3255 data "POST /xw.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132705: 192.168.25.2:80-47.96.42.91:3533 data "POST /xx.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 47\r\n\r\naxa=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132705: 192.168.25.2:80-47.96.42.91:3609 data "POST /s.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\nleng=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132706: 192.168.25.2:80-47.96.42.91:3625 data "POST /w.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\nleng=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132706: 192.168.25.2:80-47.96.42.91:3707 data "POST /db.init.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\neval=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132707: 192.168.25.2:80-47.96.42.91:3733 data "POST /db_session.init.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\neval=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132707: 192.168.25.2:80-47.96.42.91:3779 data "POST /sheep.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 44\r\n\r\nm=die('Hello, Peppa!'.(string)(111111111*9))"


What is strange about these post, the test string is always the same [..]=die('Hello, Peppa!'.(string)(111111111*9))"

Have you seen any of these in your logs?

[1] http://www.honeypots.tk/details?id=W5CKOYAY8PQ3KGAC

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

427 Posts
ISC Handler
I started seeing the sheep.php and a few others on Friday last week. The snort box picked it up and alerted on it.
DanielB

4 Posts
I saw these in my logs for both Sunday and Monday.

2018-07-01 17:35:22.655 140.143.13.28 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:23.152 140.143.13.28 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:23.643 140.143.13.28 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:27.121 140.143.13.28 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:27.606 140.143.13.28 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:28.098 140.143.13.28 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(111111111*9))
2018-07-01 19:45:17.083 139.199.155.25 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:17.552 139.199.155.25 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:17.997 139.199.155.25 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:18.471 139.199.155.25 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:18.931 139.199.155.25 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:19.390 139.199.155.25 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:25.678 193.112.187.198 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:26.323 193.112.187.198 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:26.985 193.112.187.198 /index.php?wc.php _POST : 1: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:28.458 193.112.187.198 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:29.424 193.112.187.198 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:31.034 193.112.187.198 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:37.110 193.112.187.198 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:37.794 193.112.187.198 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(111111111*9))
FireStorm9

6 Posts
Edit -- duplicate post.
FireStorm9

6 Posts
Saw this post and checked my honeypot as well and I'm seeing the same thing. I noticed the IP's were mostly from China and then I found this article and wanted to share it:
https://www.cnn.com/2018/05/01/asia/china-peppa-pig-censorship-intl/index.html
Anonymous
I think I found it!

References to the exact same .php files here: https://github.com/jupyterhub/nullauthenticator/issues/2

Jupyterhub definition: JupyterHub, a multi-user Hub, spawns, manages, and proxies multiple instances of the single-user Jupyter notebook server.

So I'm guessing there's a known exploit for JupyterHub servers or just the nullauthenticator application.
DanielB

4 Posts
Been observing the same from my WAF. 43 different directories every time..

POST /db.init.php HTTP/1.1

Host:
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));
Benchi

1 Posts

Sign Up for Free or Log In to start participating in the conversation!