The URL of the scan was:
Nothing particularly surprising there. What was interesting, through, was the "info3.txt" file, which contained only:
< ? php
Confused as to how that would help an attacker, we did the logical thing and looked for "info2.txt". Not only did it exist, it had a much more interesting bit of code:
(Full copy of info2.txt)
Even without reading the Russian, it's pretty obvious what's going on here; the "c99.php" gives it away as the C99 Shell, a common backdoor tool used for easy control via a web interface once a box has been popped. Doing a quick bit of Google Translate, the comments are simple notes around file creation. The only part that doesn't make sense is the exploit writer's proud declaration of his own masculinity - but then again, it's not like we need to be this guy's psychiatrist in order to block him.
So the question from there is - how do we block this? Going after the actual encoded data is the simplest and most reliable way, so we decoded the rather large chunk of Base64 data to see what we were looking at. The data that popped out began with:
Encoder : AROHA PHPencoder ver. 1.04
WEB : http://phpencoder.aroha.sk/
//add php tags before usage
* c99shell.php v.1.0 beta (?? 21.05.2005)
The "c99shell.php v" bit is the obvious target there, as it's least likely to change; SID 23016 looks for the encoded version of that string.
While detecting the specific attack is one thing, looking for generic obfuscations or other indicators common to many exploits is another. It can sometimes lead to detecting unknown or little known attacks, since they might have an exploit you don't know about but reuse the same technique as an attack you do know about.
Just to round things off, we've also included SID 23017 for the big, bold "I'm a man!" string. Much like SIDs 21548, 21539, 21549, 21876, and 22039 - which all look for variants on Blackhole and Cutwail's classic "Loading ... please wait", this should never show up in legitimate traffic, and may catch different tools associated with this particular group.
In the meantime, we've been able to confirm that our existing rules for the use of an installed C99 shell work well; we suggest that customers concerned about this sort of traffic consider enabling SIDs 16613 - 16628, 18686 - 18690, and 22917 - 22936. We'd love to hear your feedback on the rules, so don't be shy about dropping us a note if you see anything around them.