A vulnerability that allows attackers to take control of websites running older versions of the PHP scripting language continues to threaten the Internet almost two years after security researchers first warned that attackers could use it to remotely execute malicious code on vulnerable servers.
As Ars reported 22 months ago, the code-execution exploits worked against PHP sites only when they ran in common gateway interface mode, a condition that applied by default to those running the Apache Web server. According to a blog post published Tuesday, CVE-2012-1823, as the vulnerability is formally indexed, remains under attack today by automated scripts that scour the Internet in search of sites that are susceptible to the attack. The sighting of in-the-wild exploits even after the availability of security patches underscores the reluctance of many sites to upgrade.
"One of the interesting points is that despite the fact that this vulnerability is somewhat dated, cybercriminals are still using it, understanding that a major part of the install base of PHP does not update on a regular basis—creating the window of opportunity," Nadav Avital, Barry Shteiman, and Amichai Shulman, who are researchers with security firm Imperva, wrote. "A surprising fact is that even today, this vulnerability can be used successfully as companies don't take the appropriate measures to secure their servers."
Catching flies with honey
The researchers based their assessment on results of a vulnerable "honeypot" server they set up to see if it would be subjected to the PHP attacks. They counted 324 separate IP addresses that subjected their test server to exploits. The attacks used highly obfuscated code to conceal the attack. When reconstructed into a human-readable format, the scripts were found to download malicious executable files from a remote server, run it, and then remove it from the server to hide evidence of the compromise.
Loading comments...
