Hello, welcome to the Monday, June 8, 2020 edition of the Sand Center Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

When you are installing a programming language to be used as part of your web application, let's say PHP, you often have two options. First option being

to use a module that's being loaded with your web server and then your web server essentially

is executing the code or secondly using a mechanism called Fast CGI., with Fast CGI, the web server will send data to your CGI process, which again, could be

PHP across the Loopback interface.

Now, typically, Fast CGI and similar modules should only listen on loopback.

But apparently, that's not always the case.

And as our handler Remko found, the bad guys are actively looking for exposed fast CGI

pHP installs.

And of course, exploitation is trivial, as Remko shows in the examples that he found. In these

examples, the attacker was essentially just sending a FARP archive to the fast CGI install to have

arbitrary code executed. There's no authentication required.

The one tricky part here is, at least for the attacker,

that Fast GGI doesn't always listen on the same port.

Yes, there are some standards.

The instructions that I remember usually suggest port 9,000, but what Remko found was that IP addresses,

he has been tracking for trying to exploit this vulnerability, are essentially scanning port

8,000 through 10,000, so a fairly far range of different port numbers.

He also found first a quick initial scan from one IP address being then followed up with a second

scan from a different IP address.

So the hacker probably has two processes running or multiple processes. Some of them are just doing these initial scans, assembling target lists of hosts that appear

...