In the last few days (27 June on), my honeypot collected from various sources the same eight PHP POST to these scripts. Here are the eight scripts it attempts to post to: 20180629-132704: 192.168.25.2:80-47.96.42.91:3216 data "POST /wuwu11.php HTTP/1.1\r\nHost: 192.168.96.183:80\r\nUser-Agent: Mozilla/5.0\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 45\r\n\r\nh=die('Hello, Peppa!'.(string)(111111111*9));"
Have you seen any of these in your logs? [1] http://www.honeypots.tk/details?id=W5CKOYAY8PQ3KGAC ----------- |
Guy 430 Posts ISC Handler |
Reply Subscribe |
Jul 2nd 2018 7 months ago |
I started seeing the sheep.php and a few others on Friday last week. The snort box picked it up and alerted on it.
|
DanielB 4 Posts |
Reply Quote |
Jul 2nd 2018 7 months ago |
I saw these in my logs for both Sunday and Monday.
2018-07-01 17:35:22.655 140.143.13.28 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 17:35:23.152 140.143.13.28 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 17:35:23.643 140.143.13.28 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 17:35:27.121 140.143.13.28 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 17:35:27.606 140.143.13.28 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 17:35:28.098 140.143.13.28 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(111111111*9)) 2018-07-01 19:45:17.083 139.199.155.25 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 19:45:17.552 139.199.155.25 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 19:45:17.997 139.199.155.25 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 19:45:18.471 139.199.155.25 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 19:45:18.931 139.199.155.25 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-01 19:45:19.390 139.199.155.25 /index.php?db.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-02 02:23:25.678 193.112.187.198 /index.php?wuwu11.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-02 02:23:26.323 193.112.187.198 /index.php?xw.php _POST : h: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-02 02:23:26.985 193.112.187.198 /index.php?wc.php _POST : 1: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-02 02:23:28.458 193.112.187.198 /index.php?xx.php _POST : axa: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-02 02:23:29.424 193.112.187.198 /index.php?s.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-02 02:23:31.034 193.112.187.198 /index.php?w.php _POST : leng: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-02 02:23:37.110 193.112.187.198 /index.php?db_session.init.php _POST : eval: die(\'Hello, Peppa!\'.(string)(111111111*9)); 2018-07-02 02:23:37.794 193.112.187.198 /index.php?sheep.php _POST : m: die(\'Hello, Peppa!\'.(string)(111111111*9)) |
FireStorm9 6 Posts |
Reply Quote |
Jul 2nd 2018 7 months ago |
Edit -- duplicate post.
|
FireStorm9 6 Posts |
Reply Quote |
Jul 2nd 2018 7 months ago |
Saw this post and checked my honeypot as well and I'm seeing the same thing. I noticed the IP's were mostly from China and then I found this article and wanted to share it:
https://www.cnn.com/2018/05/01/asia/china-peppa-pig-censorship-intl/index.html |
Anonymous |
Reply Quote |
Jul 2nd 2018 7 months ago |
I think I found it!
References to the exact same .php files here: https://github.com/jupyterhub/nullauthenticator/issues/2 Jupyterhub definition: JupyterHub, a multi-user Hub, spawns, manages, and proxies multiple instances of the single-user Jupyter notebook server. So I'm guessing there's a known exploit for JupyterHub servers or just the nullauthenticator application. |
DanielB 4 Posts |
Reply Quote |
Jul 3rd 2018 7 months ago |
Been observing the same from my WAF. 43 different directories every time..
POST /db.init.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 Connection: Close Content-Type: application/x-www-form-urlencoded Content-Length: 48 eval=die('Hello, Peppa!'.(string)(111111111*9)); |
Benchi 1 Posts |
Reply Quote |
Jul 28th 2018 6 months ago |
Sign Up for Free or Log In to start participating in the conversation!