Revealing the Massive Botnet Hacking Method Targeting Laravel-Based Websites Worldwide (Episode 2)

This article is a continuation of the previous one, which you can find [here](https://hackmd.io/@Solderet/r1cbVM5on). In this article, we will delve deeper into the methods that the attacker used to gain Remote Code Execution (RCE) on my server. # Unveiling Suspicious Activity ## Checking The Log If you are using Docker Compose to manage your services, you can use the command `sudo docker-compose logs --follow` to read the logs of your services, as shown in the image below: ![](https://hackmd.io/_uploads/HkmkcVso3.png) Upon checking the logs, you might notice that a public IP is accessing my `web-php_1` service, which happens to be my php-fpm service. Funny thing is, I didn't even realize that I mistakenly gave my php-fpm service a taste of the public spotlight, until pretty recently :cry: So, you're probably wondering how the attacker exploited that open port to gain Remote Code Execution (RCE), right? Well, turns out we can hit php-fpm with a special payload to mess with the PHP server. It's just like what's explained in this article: [RCE Attacks Targeting Misconfigured Open PHP-FPM](https://blogs.juniper.net/en-us/threat-research/rce-attacks-targeting-misconfigured-open-php-fpm). # Attacking The Server For testing purposes, I created the scenario on my local machine using Docker Compose. You can try it out by adding a `docker-compose.yaml` file with the following content: ```yaml version: "3" services: php-fpm: image: php:fpm-alpine ports: - 9000:9000 ``` After running `sudo docker-compose up`, the output will look something like this: ![Docker Compose Output](https://hackmd.io/_uploads/rylTySoo2.png) Once we've set up the scenario, we can proceed by using the script from this gist below. This script is designed to craft the payload and send it to our php-fpm server.: :::spoiler fpm.py {%gist phith0n/9615e2420f31048f7e30f3937356cf75%} ::: Once you've set up the scenario and have the fpm.py script ready, you can run it like shown in the image below: ![](https://hackmd.io/_uploads/H1vSzSoih.png) As you can see, our payload is reflected in the response, which indicates the vulnerability. Now, let's take it up a notch and add a PHP tag to the payload: ![](https://hackmd.io/_uploads/HJZ2MSsjh.png) Boom! We just achieved remote code execution! # Summary As system administrators, we must be cautious about which ports we expose to the public. In this scenario, we accidentally opened the port of the php-fpm service to the public, leaving it vulnerable to remote code execution. It's essential to carefully manage our servers and not allow attackers to exploit critical services like php-fpm. That's it for my article! If you have any critiques or questions, feel free to leave a comment in the section below. :smile: