Chinese websites have been under attack for a week via a new PHP framework bug

PoC for ThinkPHP security flaw sparks furious scans for vulnerable sites, most of which are based in China.
Written by Catalin Cimpanu, Contributor

Over 45,000 Chinese websites have been under a barrage of attacks from miscreants looking to gain access to web servers, ZDNet has learned.

The attacks have targeted websites built with ThinkPHP, a Chinese-made PHP framework that is very popular among the local web development scene.

All attacks started after Chinese cyber-security firm VulnSpy posted a proof-of-concept exploit for ThinkPHP on ExploitDB, a website popular for hosting free exploit code.

The proof-of-concept code exploits a vulnerability in the framework's invokeFunction method to execute malicious code on the underlying server. The vulnerability is remotely exploitable, as most vulnerabilities in web-based apps tend to be, and can allow an attacker to gain control over the server.

Attacks started within a day

"The PoC was published on December 11, and we saw internet-wide scans less than 24 hours later," Troy Mursch, co-founder of Bad Packets LLC told ZDNet today.

Four other security firms --F5 Labs, GreyNoise, NewSky Security, and Trend Micro-- have also reported similar scans, which have grown in intensity in the following days.

The number of organized threat groups exploiting the new ThinkPHP vulnerability has also grown as well. There are now the original attackers, another group that security experts named "D3c3mb3r," and a group that's using the ThinkPHP vulnerability to infect servers with the Miori IoT malware.

This last group, detected by Trend Micro, also suggests that the ThinkPHP framework might have been used to build control panels of some home routers and IoT devices, as Miori wouldn't be able to function properly on actual Linux servers.

Furthermore, NewSky Security has also detected a fourth group scanning for ThinkPHP-based sites and attempting to run Microsoft Powershell commands.

"The Powershell one is bizarre," Ankit Anubhav, Principal Security Researcher for NewSky Security told ZDNet. "They actually have some code that checks for OS type and runs different exploit code for Linux, but they also run Powershell just to try their luck."

But the biggest of all groups exploiting this ThinkPHP vulnerability is the group they call D3c3mb3r. This group isn't particularly focused on ThinkPHP sites only. This group scans for everything PHP.

"They are very loud on PHP," Anubhav told us. "Mostly looking for web servers and not IoT devices."

But this group, for now, isn't doing anything special. They don't infect servers with cryptocurrency miners or any malware. They simply scan for vulnerable hosts, run a basic "echo hello d3c3mb3r" command, and that's it.

"I am not sure about their motive," Anubhav said.

Over 45,000 vulnerable hosts

According to a Shodan search, there are currently over 45,800 servers running a ThinkPHP-based web app that are reachable online. Over 40,000 of these are hosted on Chinese IP addresses, which makes sense since ThinkPHP's documentation is only available in Chinese, and most likely not used outside the country.

This also explains why most of the attackers looking for ThinkPHP sites are also mostly Chinese.

"So far the only hosts we've seen scanning for ThinkPHP installations have come from China or Russia," Mursch told ZDNet after consulting data in regards to the origin of most these scans.

But you don't need to be Chinese to exploit a vulnerability in Chinese software. As more threat groups will learn about this new easy way to hack into web servers, attacks on Chinese sites will intensify.

F5 Labs has also published a technical analysis of the ThinkPHP vulnerability and how the exploit code works, here.

Cybercrime and malware, 2019 predictions

More cybersecurity coverage:

Editorial standards