A vulnerability that allows attackers to take control of websites running older versions of the PHP scripting language continues to threaten the Internet almost two years after security researchers first warned that attackers could use it to remotely execute malicious code on vulnerable servers.

As Ars reported 22 months ago, the code-execution exploits worked against PHP sites only when they ran in common gateway interface mode, a condition that applied by default to those running the Apache Web server. According to a blog post published Tuesday, CVE-2012-1823, as the vulnerability is formally indexed, remains under attack today by automated scripts that scour the Internet in search of sites that are susceptible to the attack. The sighting of in-the-wild exploits even after the availability of security patches underscores the reluctance of many sites to upgrade.

"One of the interesting points is that despite the fact that this vulnerability is somewhat dated, cybercriminals are still using it, understanding that a major part of the install base of PHP does not update on a regular basis—creating the window of opportunity," Nadav Avital, Barry Shteiman, and Amichai Shulman, who are researchers with security firm Imperva, wrote. "A surprising fact is that even today, this vulnerability can be used successfully as companies don't take the appropriate measures to secure their servers."

Catching flies with honey

The researchers based their assessment on results of a vulnerable "honeypot" server they set up to see if it would be subjected to the PHP attacks. They counted 324 separate IP addresses that subjected their test server to exploits. The attacks used highly obfuscated code to conceal the attack. When reconstructed into a human-readable format, the scripts were found to download malicious executable files from a remote server, run it, and then remove it from the server to hide evidence of the compromise.

"The malware files are usually written in PHP, Python, or C and vary from simple reverse shell backdoors to IRC clients that connect to [command and control] servers," the Imperva researchers wrote. "We also notice that some malwares have different functionality according to the kernel versions and the processor architecture of the infected server.

PHP versions prior to 5.3.12 and 5.4.2 are vulnerable. The Imperva blog post said that an estimated 16 percent of public websites are running a vulnerable version. People running susceptible versions should upgrade right away. Readers who visit vulnerable sites should notify the operators of the risk their site poses.

Besides underscoring how slow many websites are at patching extremely critical security bugs, Imperva's findings may help to explain the uptick over the past few years of server hacks that turn trusted websites into platforms that attack end users and sometimes other sites . While a similar attack campaign reported Tuesday exploited compromised login credentials, there's probably no single cause for these types of server breaches. Given the potency of the PHP attack, it's no surprise that attackers are still using it to commandeer vulnerable sites.