Search This Blog

Showing posts with label PHP. Show all posts

Attackers Exploiting Bugs in PHP7 to Hijack Web Servers


Last week, Russia-based security researcher Emil 'Neex Lerner has discovered a remote code execution vulnerability in the PHP bug tracker - classified as the CVE-2019-11043. The vulnerability allows the attackers to gain control of servers running PHP7 with NGINX and the PHP-FPM extension, simply by adding "?a=" to the URL of the website. Evidence shows that this critical PHP issue is being actively exploited by the threat actors.

Reportedly, the vulnerability did not affect all the PHP-capable servers, only NGINX servers with PHP-FPM enabled are exposed to the risk. The FPM is the PHP-FPM module which is employed for the purpose of performance enhancement and the vulnerability which lets a remote net server to execute its own arbitrary code simply by accessing a specially designed URL, resides in env_path_info in the file fpm_main.c of the FPM component.

PHP (Hypertext pre-processor) is a wide-open source general-purpose scripting language that is used in the development of Static websites, Dynamic websites or Web applications. It is one of the most common programming languages used to build websites and is focused on server-side scripting. It forms the basis for content management systems such as Wordpress and also (in a way) for more sophisticated applications like Facebook. Therefore, to realize a security vulnerability inside it remains a great deal for security researchers.

Experts believe that this security vulnerability has all the right boxes checked for marking the beginning of a storm in the cybersecurity world, it doesn't only expose to risk multiple environments but also makes it extremely convenient for attackers to exploit the vulnerability. Although one can argue that patches are available for users as a safeguard against the vulnerability, not everyone is equally updated with the workarounds.

The barricades to enter the website for hacking has been radically lowered by this vulnerability, so much so that even people from nontechnical background could potentially abuse it, according to ZDNet.

Satnam Narang, Senior Security Response Manager at Tenable, explains that "The PoC script included in the GitHub repository can query a target webserver to identify whether or not it is vulnerable by sending specially crafted requests,"

"Once a vulnerable target has been identified, attackers can send specially crafted requests by appending '?a=' in the URL to a vulnerable web server," adds Narang.

Malware Alert: Mirai Alias Miori Is Being Dispensed Via RCE Exploits




To add on to the latest list of raging malware, the cyber-cons decided on changing names of some older ones.

Malware Mirai, is now being dispensed by the name of Miori, by way of malicious remote code execution exploits.


The Mirai Malware has a really solid history of wreaking havoc by executing DDOS (Distributed Denial of Service) attacks on various platforms among IoT devices.


The botnet in question has previously executed some truly jeopardizing DDOS attacks and has been the culprit for computer fraud and abuse.


The malware would need to function equally well on different architectures in order to run on cross-platforms.


Now, Miori can easily exploit internet connected devices by abusing their vulnerabilities. The smart devices are always on the radar for this malware.


The above-mentioned malware is being dispensed through Remote Code Execution vulnerability in the PHP structure of the name ThinkPHP. The exploit especially has targeted, versions previous to 5.0.23 and 5.1.31.


 The security researchers who are on to the malware, have alluded that the rate of infection is increasing in the case of ThinkPHP RCE in smart devices.


Numerous other Mirai malware which exploit the ThinkPHP RCE vulnerability are also being dispensed.


Researchers also confirmed that a Linux device was made to perform the DDOS attack because of the infection dispensed via other connected devices as the default credentials got reset through a telnet.


Reportedly, Miori is merely a subdivision which the cyber-cons use to fabricate vulnerable devices via Thinkpad RCE.


The malware variant could be downloaded from the following command and control server. Hxxp://144[.]202[.]49[.]126/php


Once the malware is executed a console gets generated which switches the Telnet on, to brute force other IP addresses.


On the port 42352 (TCP/UDP) the C&C server keeps a check to receive further commands.


The configuration table, of the Miori malware was de-crypted by researchers, which was instated in its binary strings.


The username passwords and other credentials which were used by the malware were also found out by the researchers as they were fairly easy to speculate.


A scrutinized look resulted in the discovery of two URLs that were employed by the two variants of Mirai, namely APEP and IZIH9. Both were employing the same string  anti-obfuscation procedure as Miarai and Miori.


APEP also spreads by exploiting CVE-2017-17215 which encompasses of one other RCE vulnerability which can seriously affect router devices.