In a previous Honeypot Alert blog post, I showed an example of attackers using LFI attacks to access /proc/self/environ to execute code within the User-Agent field. Our web honeypots have identified more probes of this type. Here is an example capture yesterday:
As outlined in the earlier blog post, by accessing /proc/self/environ, the attacker is able to trick PHP into executing PHP code that is reflected out within the response page. So, what does this PHP code do? After executing the "eval(base64_decode()" function, we get the following:
This code creates a new file called 85b3f33b0eeb14fc6178f8974e8b4f5b.php with more base64_encoded data in it. If we decode that data we can see the file's purpose:
This simple PHP code essentially allows the attacker to send a POST request to this URL and pass base64_encoded commands in a parameter called "data" and have it execute server-side. This is an easy foothold into the web application that the attacker can then expand upon to upload more robust tools for even more flexibility and control.