PHP Deathmatch: Korean Angel vs. the botnets

So, each week I've been writing a tech blog article on some of the trends we see in machine data to one of our monitored web assets. One of the automated searches we have running is long URI's in this case as a POST to the server and below you can see the output of this:

Firstly, the raw data needs to be run through a decoder before we can see what the function might be. Straight away we can see that it is related to php and disabling safe mode so it is reasonable to conclude that this is a malicious attempt against php.

Searching for "Suhosin" found in the string tells us that the word means Guardian Angel in Korean and that it's the name of a PHP security extension available on Github or via the packages homepage (URL); it's an older build and dates from 2015 and relates to php 5. The package apparently has a range of features: "It is designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core". The current version of php is version 7.4 so the question is how widely deployed is php 5 these days or is this just a ghost in the shell constantly trying a legacy vulnerability? A search on shodan elucidates my query:

One blunt search reveals that at a minimum there are 42,699 servers detectable running a variant of php 5 and 177 servers running php and our guardian angel suhosin package. The concerning thing at this point is that some of the companies running such vulnerable packages include telecom companies, power companies and academic institutions. How exploitable is php 5 with this vulnerability and what could be done with it? The exact string of malicious code appears on pastebin in December 2013 so this is not an emerging threat yet still the potential threat surface is significant.

How prevalent is this attack?

On this one web asset we have seen 976 matching events in the past 30 days alone and sampling the source IP's of the attacks by country reveals a couple of notable facts. Firstly the IP's are dominated by Western IP address sources in Germany, France, USA and the Netherlands. Secondly a range of botnets are attributed to the IP's in question with the Zeus botnet being common as the likely variant. Zeus and it's successor Gameover are worth reading up on (URL) and B. Krebs covered it in 2014 (URL). And guess what, we have another U.S FBI most wanted individual: Evgeniy Mikhailovich Bogachev (URL) who is wanted for a long list of criminal activities related to this botnet. Below is a graph from our machine data tool depicting the exploit search over the past 30 days:


  • The internet is the wild West and automated botnets are checking the locks on this servers front door at an average of 30 times a day on this one exploit alone.
  • In excess of 42,000 servers on the internet are readily exposing a potential vulnerability to this or a similar php 5 exploit.
  • Power, Telecom and educational establishments are included in companies running this code.
  • The botnets are mostly located in Western countries
  • Administrators need the support to keep assets protected and up-to-date
  • You need to monitor and product your cyber assets

If you're concerned by this or another issue get in touch, we can help

Subscribe to this blog post Unsubscribe Report Print

By accepting you will be accessing a service provided by a third-party external to

Find Out More

© Computer Network Defence Limited 2021