Hello Peppa! - PHP Scans

Hello Peppa! - PHP Scans
In the last few days (27 June on), my honeypot collected from various sources the same eight PHP POST to these scripts. Here are the eight scripts it attempts to post to: 20180629-132704: 192.168.25.2:80-47.96.42.91:3216 data "POST /wuwu11.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(1111111119));" 20180629-132704: 192.168.25.2:80-47.96.42.91:3255 data "POST /xw.php* HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(1111111119));" 20180629-132705: 192.168.25.2:80-47.96.42.91:3533 data "POST /xx.php* HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 47\r\n\r\naxa=die('Hello, Peppa!'.(string)(1111111119));" 20180629-132705: 192.168.25.2:80-47.96.42.91:3609 data "POST /s.php* HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\nleng=die('Hello, Peppa!'.(string)(1111111119));" 20180629-132706: 192.168.25.2:80-47.96.42.91:3625 data "POST /w.php* HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\nleng=die('Hello, Peppa!'.(string)(1111111119));" 20180629-132706: 192.168.25.2:80-47.96.42.91:3707 data "POST /db.init.php* HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\neval=die('Hello, Peppa!'.(string)(1111111119));" 20180629-132707: 192.168.25.2:80-47.96.42.91:3733 data "POST /db_session.init.php* HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\neval=die('Hello, Peppa!'.(string)(1111111119));" 20180629-132707: 192.168.25.2:80-47.96.42.91:3779 data "POST /sheep.php* HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 44\r\n\r\nm=die('Hello, Peppa!'.(string)(1111111119))" What is strange about these post, the test string is always the same [..]=die('Hello, Peppa!'.(string)(1111111119))" Have you seen any of these in your logs? [1] http://www.honeypots.tk/details?id=W5CKOYAY8PQ3KGAC ----------- Guy Bruneau IPSS Inc. Twitter: GuyBruneau gbruneau at isc dot sans dot edu	Guy 506 Posts ISC Handler Jul 2nd 2018
Thread locked Subscribe	Jul 2nd 2018 3 years ago
I started seeing the sheep.php and a few others on Friday last week. The snort box picked it up and alerted on it.	DanielB 4 Posts
Quote	Jul 2nd 2018 3 years ago
I saw these in my logs for both Sunday and Monday. 2018-07-01 17:35:22.655 140.143.13.28 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 17:35:23.152 140.143.13.28 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 17:35:23.643 140.143.13.28 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 17:35:27.121 140.143.13.28 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 17:35:27.606 140.143.13.28 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 17:35:28.098 140.143.13.28 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(1111111119)) 2018-07-01 19:45:17.083 139.199.155.25 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 19:45:17.552 139.199.155.25 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 19:45:17.997 139.199.155.25 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 19:45:18.471 139.199.155.25 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 19:45:18.931 139.199.155.25 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-01 19:45:19.390 139.199.155.25 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-02 02:23:25.678 193.112.187.198 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-02 02:23:26.323 193.112.187.198 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-02 02:23:26.985 193.112.187.198 /index.php?wc.php _POST : 1: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-02 02:23:28.458 193.112.187.198 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-02 02:23:29.424 193.112.187.198 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-02 02:23:31.034 193.112.187.198 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-02 02:23:37.110 193.112.187.198 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(1111111119)); 2018-07-02 02:23:37.794 193.112.187.198 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(1111111119))	FireStorm9 6 Posts
Quote	Jul 2nd 2018 3 years ago
Edit -- duplicate post.	FireStorm9 6 Posts
Quote	Jul 2nd 2018 3 years ago
Saw this post and checked my honeypot as well and I'm seeing the same thing. I noticed the IP's were mostly from China and then I found this article and wanted to share it: https://www.cnn.com/2018/05/01/asia/china-peppa-pig-censorship-intl/index.html	Anonymous
Quote	Jul 2nd 2018 3 years ago
I think I found it! References to the exact same .php files here: https://github.com/jupyterhub/nullauthenticator/issues/2 Jupyterhub definition: JupyterHub, a multi-user Hub, spawns, manages, and proxies multiple instances of the single-user Jupyter notebook server. So I'm guessing there's a known exploit for JupyterHub servers or just the nullauthenticator application.	DanielB 4 Posts
Quote	Jul 3rd 2018 3 years ago
Been observing the same from my WAF. 43 different directories every time.. POST /db.init.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 Connection: Close Content-Type: application/x-www-form-urlencoded Content-Length: 48 eval=die('Hello, Peppa!'.(string)(111111111*9));	Benchi 1 Posts
Quote	Jul 28th 2018 3 years ago

In the last few days (27 June on), my honeypot collected from various sources the same eight PHP POST to these scripts. Here are the eight scripts it attempts to post to:

20180629-132704: 192.168.25.2:80-47.96.42.91:3216 data "POST /wuwu11.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132704: 192.168.25.2:80-47.96.42.91:3255 data "POST /xw.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132705: 192.168.25.2:80-47.96.42.91:3533 data "POST /xx.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 47\r\n\r\naxa=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132705: 192.168.25.2:80-47.96.42.91:3609 data "POST /s.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\nleng=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132706: 192.168.25.2:80-47.96.42.91:3625 data "POST /w.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\nleng=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132706: 192.168.25.2:80-47.96.42.91:3707 data "POST /db.init.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\neval=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132707: 192.168.25.2:80-47.96.42.91:3733 data "POST /db_session.init.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 48\r\n\r\neval=die('Hello, Peppa!'.(string)(111111111*9));"
20180629-132707: 192.168.25.2:80-47.96.42.91:3779 data "POST /sheep.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 44\r\n\r\nm=die('Hello, Peppa!'.(string)(111111111*9))"

What is strange about these post, the test string is always the same [..]=die('Hello, Peppa!'.(string)(111111111*9))"

Have you seen any of these in your logs?

[1] http://www.honeypots.tk/details?id=W5CKOYAY8PQ3KGAC

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

506 Posts
ISC Handler

Jul 2nd 2018

I started seeing the sheep.php and a few others on Friday last week. The snort box picked it up and alerted on it.

DanielB

4 Posts

I saw these in my logs for both Sunday and Monday.

2018-07-01 17:35:22.655 140.143.13.28 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:23.152 140.143.13.28 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:23.643 140.143.13.28 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:27.121 140.143.13.28 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:27.606 140.143.13.28 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 17:35:28.098 140.143.13.28 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(111111111*9))
2018-07-01 19:45:17.083 139.199.155.25 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:17.552 139.199.155.25 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:17.997 139.199.155.25 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:18.471 139.199.155.25 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:18.931 139.199.155.25 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-01 19:45:19.390 139.199.155.25 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:25.678 193.112.187.198 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:26.323 193.112.187.198 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:26.985 193.112.187.198 /index.php?wc.php _POST : 1: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:28.458 193.112.187.198 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:29.424 193.112.187.198 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:31.034 193.112.187.198 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:37.110 193.112.187.198 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9));
2018-07-02 02:23:37.794 193.112.187.198 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(111111111*9))

FireStorm9

6 Posts

Edit -- duplicate post.

FireStorm9

6 Posts

Saw this post and checked my honeypot as well and I'm seeing the same thing. I noticed the IP's were mostly from China and then I found this article and wanted to share it:
https://www.cnn.com/2018/05/01/asia/china-peppa-pig-censorship-intl/index.html

Anonymous

I think I found it!

References to the exact same .php files here: https://github.com/jupyterhub/nullauthenticator/issues/2

Jupyterhub definition: JupyterHub, a multi-user Hub, spawns, manages, and proxies multiple instances of the single-user Jupyter notebook server.

So I'm guessing there's a known exploit for JupyterHub servers or just the nullauthenticator application.

DanielB

4 Posts

Been observing the same from my WAF. 43 different directories every time..

POST /db.init.php HTTP/1.1

Host:
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

Benchi

1 Posts