This past month, we've seen some new and different scans targeting tcp ports between 8000 and 10,000. The first occurrence was on 30 April 2020 and originated from ip address 23.95.67.187 and containing payload: \x01\x01\0\x01\0\b\0\0\0\x01\0\0\0\0\0\0
After this initial scan, the next similar scans used a different ip address (45.14.224.248), but within 5 hours from the first occurrence we received a different payload: \x01\x01\0\x01\0\b\0\0\0\x01\0\0\0\0\0\0\x01\x04\0\x01\x02\xdb\x05\0\t\x80\0\x02wPHP_VALUEallow_url_include=1\nallow_url_fopen=1\nauto_prepend_file=\'data://text/plain;base64,PD9waHAgaWYoZnVuY3Rpb25fZXhpc3RzKCdlcnJvcl9yZXBvcnRpbmcnKSl7QGVycm9yX3JlcG9ydGluZygwKTt9aWYoZnV
It is clear that the payload is trying to exploit something PHP related, but it was not immediately obvious what service was being targeted. After Googling around for a while, I could identify the payload as being targeting fastcgi. Fastcgi can run using both unix sockets (named pipes on Windows) and tcp sockets. Apparently they are scanning for publicly available, incorrect configured fastcgi sockets. Now that we know what to look at, we can dive into the source code of FastCGI to validate the protocol being used. The FastCGI code can be found at the PHP repository. Looking at the source code https://github.com/php/php-src/blob/master/main/fastcgi.c#L1044 and function fcgi_read_request, we can recognise the header and structure being used. Eg the first header contains the FCGI_BEGIN_REQUEST type, with FCGI_RESPONDER role. The following header consists of the type FCGI_PARAMS, with several variables being defined.
Next, it will send a FCGI_PARAMS to end the send of parameters, and send the header with type FCGI_STDIN. The PHP_VALUE variable consists of php directives causing the base64 encoded script to be automatically parsed before the main file (https://www.php.net/manual/en/ini.core.php).
After setting up some configuration to prevent error reporting and error logging, it will validate if the code is being executed with the script name set to /usr/bin/phar.phar. If this is the case, a non-browser visible (hidden by css) will be returned, containing the md5 hash of lohpidr, which results in the hash 58d4c1968bd824ac7ac95da61a462919. IOCs: Please share your ideas, comments and/or insights, with me via social media, @remco_verhoef or email, remco.verhoef at dutchsec dot com. Have a great day! Remco Verhoef (@remco_verhoef) |
Remco 24 Posts ISC Handler Jun 5th 2020 |
||||||||
Thread locked Subscribe |
Jun 5th 2020 8 months ago |
||||||||
good one, Remco.
|
Anonymous |
||||||||
Quote |
Jun 5th 2020 8 months ago |
||||||||
Thanks!
|
Remco 24 Posts ISC Handler |
||||||||
Quote |
Jun 5th 2020 8 months ago |
Sign Up for Free or Log In to start participating in the conversation!