Yes, I know. It has not been weekly. Since I last posted a lot of script kiddies populated my logs but not with anything all that interesting. Until today.
Date: 2017-05-11T03:10:07+00:00
Source IP: 188.138.105,84
Destination URIs: /wp-content/uploads/index.php
Method: GET.php5=print%28md5%28wp%29%29
Source IP
A quick look at WhoIsXmlApi reveals the attacking server to be in Ukraine, possible managed by hosteurope.de
Destination URIs
The particular endpoint being scanned shows a possible preference for WordPress servers. Because they are looking in the uploads folder there could have been a different vector dropping a file. A couple other servers saw the endpoint being /wp-content/ and /wp-content/themes/
Method
The standard GET call via url parameters is certainly not hiding much.
Params
php5: Hopefully your hosting provide has updated to PHP7 by now, but here is to hoping. Regardless, the call is looking for a script that checks the $_GET[‘php5’] param.
Payload
print(md5(wp)) The payload appears to be a simple fingerprint check that you have an existing file on your system. If you do, one could assume that the page would display b6ddd84a9cc636257258701ca934e763. There are plenty of websites that can reverse that hash back to wp.
Apache Logs
Thanks to Google’s cache we can get a little more info. Whoever this is, they are modifying their signature to appear as if it is a legitimate call. How do I know? Look at this log line:
188.138.105.23 - - [27/Apr/2017:12:56:04 -0700] "GET /wp-content/index.php?php5=print(md5(wp)) HTTP/1.1" 404 - "-" "Mozilla/5.0 (WordPress.com; http://support.wordpress.com/contact)"
Yeah, I didn’t think WordPress corporate scanned from Ukraine either.
Analysis
Here is where things get interesting. A Google search for php5 "print(md5(wp))" only produces 7 results right now, the earliest of which is from April 27, 2017, and none of the results are from exploit monitoring databases. Usually there are plenty of hits to ExploitDB and the like.
The calls seem to be only coming from 2 IP addresses, 188.138.105,84 and 188.138.105,23. A couple of the results indicate they are known to be scanning for other exploits, but not necessarily part of any botnet.
Conclusion
Perhaps we have something new here. A script out there somewhere utilizes the php5 parameter to execute whatever code it is passed. Time to check all my plugins…
Fun fact: If people were not using easily hackable minishells this would be even harder to track down.