Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-03-03 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phpworm and awstats yet... / Bright Tuesday / Last diary personal poll

Published: 2005-03-03
Last Updated: 2005-03-03 23:52:04 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Phpworm and Awstats yet...




After all this time, the phpworm is already something common to see...as part to the code is distributed in various websites, new variants are coming everyday.

The common behavior of these variants are basically the same:

-googling for specific strings to find potential vulnerable sites,

-exploring them,

-malicious actions (warez, defacements, remote control...)

As the awstat vulnerability (and exploits) became public, the traditional behavior is there again: Include the exploit into the bot knowledge base.
Some days ago we received, from a reader, one example of a bot that was already exploring that vulnerability:



sub site {

my($s) = @_;

$s =~ s/\s//g;

if($s =~ /awstats.pl/){

$s =~ s/http\:\/\///g;

$s =~ s/awstats\.pl.*/awstats.pl/;

$s = 'http://'.$s;

return($s);

}




Same old behavior. That one was also write in perl, as the phpworm, and will look for vulnerable site.

We were seeing brazilian hacker groups actively using these, and registering sites in Brazil to use as primary point-of-contact for the bots.

The guys at NBSO-NIC are doing a good job on hunting and canceling them in a few hours.Way to go guys!


By the way, if you had a machine compromised by one of those, and could identify the IRC server that is serving as the botnet, drop us a line!




Bright Tuesday!




"On March 8th, 2005 the Microsoft Security Response Center is planning to release no new security bulletins."




Do you believe in those words?! So, start to believe, it was posted as part of Microsoft Security Bulletin Advance Notification strategy!
Reference: (Thanks Daniel!) http://www.microsoft.com/technet/security/bulletin/advance.mspx





Last diary personal poll




First of all, thanks for all the emails with answers to my personal poll about bandwidth.

While most of us are still living with 512/1mb adsl, some countries are offering 8mb and 16mb adsl for a reasonable price.

Thanks to our readers in Japan and Korea, I am aware now that they can easily have 100mb(!!) due to the FTH (Fiber to home) technology. Some users in US also pointed that Verizon was planning something similar.

I also received some emails from people comparing CD and DVD, with the point that you can not stop the progress. I completely agree! As more bandwidth is coming to the Joe´s home computer, more powerful security technologies must emerge too. We must think also about the mobile technology. With 4G (Fourth Generation Mobile) in a few years will be possible to have a server-equivalent bandwidth in your hands...
Scaring?:)



-----------------------------------------------------------

Handler on Duty: Pedro Bueno ( pbueno/AT/isc.sans.org )
Keywords:
0 comment(s)
Diary Archives