[Honeypot Alert] User-Agent Field PHP Injection Attacks

In a previous Honeypot Alert blog post, I showed an example of attackers using LFI attacks to access /proc/self/environ to execute code within the User-Agent field. Our web honeypots have identified more probes of this type. Here is an example capture yesterday:

Screen shot 2013-02-15 at 1.45.08 PM

As outlined in the earlier blog post, by accessing /proc/self/environ, the attacker is able to trick PHP into executing PHP code that is reflected out within the response page. So, what does this PHP code do? After executing the "eval(base64_decode()" function, we get the following:

Screen shot 2013-02-15 at 1.53.26 PM

This code creates a new file called 85b3f33b0eeb14fc6178f8974e8b4f5b.php with more base64_encoded data in it. If we decode that data we can see the file's purpose:

Screen shot 2013-02-15 at 1.56.39 PM
This simple PHP code essentially allows the attacker to send a POST request to this URL and pass base64_encoded commands in a parameter called "data" and have it execute server-side. This is an easy foothold into the web application that the attacker can then expand upon to upload more robust tools for even more flexibility and control.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.