Possible PHP worm ?

[Mark Ng <secfocus () markng co uk>]

Hi all,

I have reason to believe that there may be a worm checking for PHP 
vulnerabilities -  Below follows my reasoning,  I'd like to see whether 
anybody else has seen the following.   I've checked archives and not noticed 
anything similar.

The server that these logs are captured from was running a vulnerable version 
of PHP (4.0.4) (I'm not responsible for these servers, so it's not my fault 
that it was running this version ;) ), however, it is not running any PHP 
scripts, so I believe it isn't vulnerable to the vulnerability that 4.0.4 is 
subject to (I'm about to go to the hosting facility this machine is based in 
to run read-only media on the machine to ascertain if it has been 
compromised).

Another server in the same subnet recieved the HEAD request but not the 
subsequent index.php POST requests (this server is not running PHP at all).  
I would think that the HEAD request checks whether or not the host is running 
a vulnerable version of PHP via the headers and uses this information to 
decide whether to run exploit code.   

The server that appears to have attacked this host is running a vulnerable 
version of PHP - and has php scripts on it.  It also is in the same /16 and 
same ISP (though the machine does not belong to us).  The log has been 
sanitised to protect all parties involved.



x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "HEAD / HTTP/1.1" 200 0 "-" "-" 
"-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.html"; "Mozilla/4.0
(compatib
le; MSIE 5.5; Windows NT 5.0)" "-"
x.x.166.111 - - [09/Sep/2002:05:35:16 +0200] "POST /index.php
HTTP/1.1" 404 1281 "http://x.x.164.43/index.php"; "Mozilla/4.0
(compatibl

Has anyone else seen this or similar activity ?

Regards,


Mark Ng


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com