Hello Peppa! - PHP Scans
In the last few days (27 June on), my honeypot collected from various sources the same eight PHP POST to these scripts. Here are the eight scripts it attempts to post to:
20180629-132704: 192.168.25.2:80-47.96.42.91:3216 data "POST /wuwu11.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132704: 192.168.25.2:80-47.96.42.91:3255 data "POST /xw.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132705: 192.168.25.2:80-47.96.42.91:3533 data "POST /xx.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 47\r\n\r\naxa=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132705: 192.168.25.2:80-47.96.42.91:3609 data "POST /s.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\nleng=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132706: 192.168.25.2:80-47.96.42.91:3625 data "POST /w.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\nleng=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132706: 192.168.25.2:80-47.96.42.91:3707 data "POST /db.init.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\neval=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132707: 192.168.25.2:80-47.96.42.91:3733 data "POST /db_session.init.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\neval=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132707: 192.168.25.2:80-47.96.42.91:3779 data "POST /sheep.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 44\r\n\r\nm=die('Hello, Peppa!'.(string)(111111111*9))"
What is strange about these post, the test string is always the same [..]=die('Hello, Peppa!'.(string)(111111111*9))"
Have you seen any of these in your logs?
[1] http://www.honeypots.tk/details?id=W5CKOYAY8PQ3KGAC
-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments
Anonymous
Jul 2nd 2018
6 years ago
2018-07-01 17:35:22.655 140.143.13.28 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:23.152 140.143.13.28 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:23.643 140.143.13.28 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:27.121 140.143.13.28 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:27.606 140.143.13.28 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:28.098 140.143.13.28 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(111111111*9))
2018-07-01 19:45:17.083 139.199.155.25 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:17.552 139.199.155.25 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:17.997 139.199.155.25 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:18.471 139.199.155.25 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:18.931 139.199.155.25 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:19.390 139.199.155.25 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:25.678 193.112.187.198 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:26.323 193.112.187.198 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:26.985 193.112.187.198 /index.php?wc.php _POST : 1: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:28.458 193.112.187.198 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:29.424 193.112.187.198 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:31.034 193.112.187.198 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:37.110 193.112.187.198 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:37.794 193.112.187.198 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(111111111*9))
Anonymous
Jul 2nd 2018
6 years ago
Anonymous
Jul 2nd 2018
6 years ago
https://www.cnn.com/2018/05/01/asia/china-peppa-pig-censorship-intl/index.html
Anonymous
Jul 2nd 2018
6 years ago
References to the exact same .php files here: https://github.com/jupyterhub/nullauthenticator/issues/2
Jupyterhub definition: JupyterHub, a multi-user Hub, spawns, manages, and proxies multiple instances of the single-user Jupyter notebook server.
So I'm guessing there's a known exploit for JupyterHub servers or just the nullauthenticator application.
Anonymous
Jul 3rd 2018
6 years ago
POST /db.init.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
eval=die('Hello, Peppa!'.(string)(111111111*9));
Anonymous
Jul 28th 2018
6 years ago