PHP, the programming language used in over 80% of the world’s websites, is demonstrating increasing vulnerability.
According to F5 Labs’ data partner Loryka, 81% of malicious traffic monitored in the wild in 2018 was PHP-related, representing a 23% rise compared to 2017.
Monitoring focused on initial reconnaissance campaigns looking for admin surfaces to compromise as part of a broader attack chain.
Featuring in the first instalment F5 Lab’s Application Protection Report 2019, the research also notes that PHP accounted for 68% of all of 2018’s published exploits on the Exploit Database.
“The volume and relentless nature of PHP exploits are alarming but unsurprising,” says Sander Vinberg, threat research evangelist at F5 Labs.
“Based on our research, we predict that it will remain one of the Internet’s weakest links and broadest attack surfaces for the foreseeable future.”
As a part of its analysis, F5 Labs also shed light on specific PHP attack tactics.
Loryka’s sensors identify connection attempts and capture data such as source IP and target URL. Attackers often cycle through billions of targets looking for opportunities to attack, so the target domain or IP address is not significant.
However, the back half of the target URL contains the target file or path. This is the specific location on a web server that the attacker is targeting across all their target IPs. It also reveals a lot about an attacker’s goals and tactics.
For example, Loryka noted that a huge portion of traffic focused on just seven paths or filenames. All seven are commonly used for managing phpMyAdmin (also known as PMA), which is a PHP web application used for managing MySQL databases.
A massive 42% of the 1,5-million unique events targeting more than 100 000 different URL were aimed at one of the following:
* www.example.com/PMA2011/
* www.example.com/pma2011/
* www.example.com/PMA2012/
* www.example.com/phpmyadmin3/
* www.example.com/pma2012/
* www.example.com/phpmyadmin4/
* www.example.com/phpmyadmin2/
The traffic volume targeting these was found to be almost identical from path to path, with less than a 3% difference between most and least frequent volume. The timing of the campaigns targeting these paths was also close to identical, with traffic spiking in coordination.
On closer inspection, F5 Labs discovered that 87% of the traffic pointed at the common phpMyAdmin paths stemmed from just two IPs out of the 66 000 IPs hitting Loryka’s sensors. These two IPs represented 37% of all monitored traffic in 2018. All traffic from the compromised IPs pointed at the seven PMA paths. No other single IP matched this volume of traffic or replicated its patterns – even when targeting the same paths.
Interestingly, the two IPs came from systems based on a North American university campus.
“Basically, unknown actors used a small number of compromised systems on university networks to look for specific targets: old and probably neglected MySQL databases with weak authentication,” Vinberg explains.
“These actors have defined a narrow set of target parameters but are scanning the entire web from a small number of addresses – and are not trying too hard to cover their tracks. Given that SQL injection was the most common PHP attack, it seems that the threat landscape is going to look similar this year.”
Vinberg adds that mitigating the risk from these kind of campaigns should be relatively straightforward – provided system owners are aware of what is on their network.
“Whitelisting authentication pages for admin surfaces is an easy way to prevent a recon campaign of this nature from escalating,” he says.
“A robust access control program with strong passwords or multifactor authentication would also mitigate the risk of credential stuffing or escalation from a phishing campaign that might follow reconnaissance activities.”