6

I am running a CentOS 7.x VPS with Apache 2.4.29 and PHP 7.0.28 and I started seeing the following in my logs. I have php.ini secured as best as I can from articles online for a while now, but I am wondering why I am seeing an HTTP status code of 200 success when they do the following and wondering what is it doing and how to prevent it? As best as I can tell die() is the equivalent of exit(). Is this a known older buffer overflow exploit?

Bottom line though is why is it returning success and what damage did it do?

[18/Mar/2018:09:57:21 +0000] "POST /?q=die('z!a'.'x');&w=die('z!a'.'x');&e=die('z!a'.'x');&r=die('z!a'.'x');&t=die('z!a'.'x');&y=die('z!a'.'x');&u=die('z!a'.'x');&i=die('z!a'.'x');&o=die('z!a'.'x');&p=die('z!a'.'x');&a=die('z!a'.'x');&s=die('z!a'.'x');&d=die('z!a'.'x');&f=die('z!a'.'x');&g=die('z!a'.'x');&h=die('z!a'.'x');&j=die('z!a'.'x');&k=die('z!a'.'x');&l=die('z!a'.'x');&z=die('z!a'.'x');&x=die('z!a'.'x');&c=die('z!a'.'x');&v=die('z!a'.'x');&b=die('z!a'.'x');&n=die('z!a'.'x');&m=die('z!a'.'x');&eval=die('z!a'.'x');&enter=die('z!a'.'x'); HTTP/1.1" 200 3564
JonathanDavidArndt
  • 1,414
  • 3
  • 20
  • 29
Tim
  • 191
  • 8
  • I also got this in my log on the 17th – Richie Frame Mar 18 '18 at 16:41
  • 1
    since none of the arguments were processed by my index page, it just shows the index, my guess it it targets a specific type of application – Richie Frame Mar 18 '18 at 16:43
  • I made a modsec rule to block: SecRule ARGS "@contains ('z!a'.'x')" "id:9999,phase:2,t:none,t:lowercase,deny,status:403,log,msg:'UNKNOWN query attack'" – Richie Frame Mar 18 '18 at 17:27
  • I've started seeing a whole bunch of these across many of my websites over the last two days (starting March 16). I'm glad to know it's not just me. – Collin Anderson Mar 18 '18 at 21:24
  • 1
    Cross-site dupe: [What's so special about `eval(“z!ax”)`?](https://security.stackexchange.com/questions/181772/whats-so-special-about-evalzax) – Arminius Mar 19 '18 at 00:06

1 Answers1

11

This is a blind probe for PHP web application vulnerabilities. If you have a PHP web application which somehow executes code from untrusted input, from any of the query parameters given, then the script will die and print z!ax in the web page output.

If this happens, then the prober will come back later (maybe seconds later) to exploit the vulnerability for real.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • My favorite response to these: foreach (array_values($_POST) as $v) { if (preg_match("/die\(/", $v)) { print "go die() in a fire."; block($_SERVER["REMOTE_ADDR"]); die(); } }; foreach (array_values($_GET) as $v) { if (preg_match("/die\(/", $v)) { print "go die() in a fire."; block($_SERVER["REMOTE_ADDR"]); die(); } }; – whiskeyfur Sep 20 '18 at 18:10