A Few Hours After the Publication: Dozens of Scanning Attempts for Vulnerable PHP Servers

A Few Hours After the Publication: Dozens of Scanning Attempts for Vulnerable PHP Servers

On March 28th the official PHP Git repository was compromised in order to open a backdoor into many web servers. The attackers were able to gain access to the PHP official main Git server, uploading two malicious commits, including a backdoor.

The malicious commits were discovered a few hours after, and then published on the morning of March 29th.

Nevertheless, Imperva research labs noticed a spike in scanning attempts of the backdoor right after the publication in the early morning of March 29th.

So far we registered a few hundreds of scanning attempts, most of them from only a few attackers using automated software.

Attacks were observed across the board.

PHP Server chart

The payloads that we saw so far indicate that the attacker is trying to scan and check if the exploit works, and contained mainly simple commands such as MD5 and Nslookup.

Imperva’s research team has added new dedicated rules to mitigate this attack vector so Imperva WAF customers are protected out-of-the-box.