White hats publish DDoS hijacking manual, turn tables on attackers

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2012/08/ddos-take-down-manual/

By Dan Goodin
Ars Technica
Aug 15, 2012

Turning the tables on miscreants who paralyze websites with torrents of 
junk data, security researchers have published a detailed manual that 
shows how to neutralize some of the Internet's most popular 
denial-of-service tools.

The do-it-yourself how-to provides instructions that even hacking 
novices can follow to exploit critical vulnerabilities in "Dirt Jumper," 
a family of tools used to wage the crippling denial-of-service attacks. 
By targeting SQL injection flaws in the software—which is sold for 
thousands of dollars in underground forums—counter-attackers can 
commandeer the master control servers used to distribute commands to 
large numbers of infected computers, which act as foot soldiers in such 
attacks. The manual was published on Tuesday by researchers with DDoS 
mitigation provider Prolexic.

"The authors of this malware overlooked security for critical portions 
of its toolkits," the Prolexic researchers wrote in the report, which 
can be downloaded here, after completing the Web form at the right side 
of the page. "The weakest link within this malware family is the 
insecure coding practices used in the creation of the C&C panels. They 
are simple PHP/MySQL scripts that are pieced together to manage the 
infected bots."

A handful of command-line strings, the open-source penetration-testing 
tool SQLMap, and knowledge of a command server's location are pretty 
much all that's required to gain access to its back-end database and 
server-side configuration files. Compromise of the server's Web 
application can then be used to perform a DIY downing of the host 
server. Take for instance the following command:

[...]