Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can anyone explain this php code injection attack to me?

I've been receiving requests for unexpected urls on my server.

Specifically one for /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

This seems to be happening every few hours.

I ran the url through http://www.url-encode-decode.com/ and it comes out as:

phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

What is the attacker trying to do here?

like image 864
Nate B Avatar asked Aug 02 '13 04:08

Nate B


2 Answers

Attacker is trying to make use of CVE-2012-1823, this only applies if your PHP is used in CGI mode (mod_php is not vulnerable to this).

Using -d parameter injection to PHP binary attacker disables various protection mechanisms your PHP might have in place and executes PHP code directly by using auto_prepend_file (automatically executes PHP code before processing any PHP file), while php://input is a stream of POST request data.

Unless your web server logging is custom you probably won't find out what attacker had in the POST request (POST data are not being logged normally).

Check your PHP, eg. using a script like this:

<?php phpinfo();

PHP version is on the first line, compare that to CVE definition. If you're using a vulnerable version, update it ASAP, also look for Server API line there, if it does not contain something with CGI you should be safe for the moment, but using an obsolete PHP version is never good.

like image 67
lukash Avatar answered Sep 28 '22 07:09

lukash


attacker is try to update your php configuration file(php.ini) allow_url_include,safe_mode are different php configuration settings which are important for security, so they are disabled by default

like image 27
PravinS Avatar answered Sep 28 '22 07:09

PravinS