Cyber-Investigations: The Case of the Command-Injection Attack
As a consulting analyst, I focus on security architecture and strategic planning, not day to day operations. But people know that if you meet a security expert at a dinner party you can probably get him to investigate that strange phishing email you just got, or in this case, an anomaly in your web server log.
Ava runs a web server and unlike some admins, seems meticulous about checking her logs. She wrote”
“I have some logs which my server generates and one is called localhost_access_log.2013-11-29 (obviously, the date changes). I found some junk in the log today I’ve never seen before. It appears to be a robot trying to access. It doesn’t look like they succeeded, but, do you think something like this could be harmful? Here’s what it says:
[actual IP ADDRESS] – – [29/Nov/2013:06:36:59 00] “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 404 701
Consequently, I ended up doing a bit of cyber-investigation for fun and this is the gist of what I wrote back to Ava.
“The same message – about something trying to post PHP script or code to the CGI BIN executables directory showed up three times in your log. I judge it is either a misdirected command from somewhere, or an attempt at a command injection attack. But considering you told me the server doesn’t use CGI BIN, not a well-targeted one.
I didn’t have access to the machine, but I tried a couple things. I googled “where is [the actual IP ADDRESS]” and up came the whois data, which I read. The possible attack came from Vietnam. I didn’t dig any deeper but you could try emailing the admin contact for the host’s domain or do further searches on the domain reputation. Trying for any kind of attribution at this point is probably not a productive approach, however, especially since that host could have just been a staging point used to cover the real attacker’s tracks and it would be hard to trace back.
Next I tried to decode the data. Googled “hex code conversion utility” and found this site rishida.net/tools/conversion/. I pasted the encoded characters from the log. The conversion tool decoded it as follows:
POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=””+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n HTTP/1.1″ 404 701
I don’t know PHP, so I don’t know exactly what that means more specifically than that the remote process is trying to create a file on your server in the CGI BIN directory.
I went to the owasp.org (a site with lots of info on web attacks) and ran a search on “PHP attacks.” Many things came up, including references to SQL injection, cross site request forgery…that didn’t narrow things down at all.
But poking around I found a dictionary of attacks and concluded that if our little script was an attack, it was probably either a log injection, or a command injection attack.
If we wanted to analyze it further we can still do a few things:
Join OWASP at http://owasp.org/index.php/Membership, get involved in a local chapter and ask people about this script.
Welcome to the murky and unsatisfying world of cyber-investigations, most of which are never resolved. If cyber-investigations were a full time or part time job for me, I’d have to join some forums and look for better tools to analyze indicators of compromise and people to talk to.
But if you just want to move on from this, yes your server is probably okay since it didn’t even have a CGI BIN directory. However, sometimes hackers use a tool like Metasploit which can machine gun fire many different exploits at a server looking for one open vulnerability. There may be other network logs you need to look at, or to do some diagnostics (like these) to see if the machine’s been compromised.
And it never hurts to run some extra security and vulnerability scans, using utilities like Malwarebytes and different anti-virus tools, or Secunia to scan your system for vulnerabilities, as I suggested last time we talked…”