Adds

amazing specials on Hotels

Asiarooms.com is offering amazing specials on Hotels in Thailand, Indonesia, Malaysia, Japan and China. http://revtwt.com/198478

sample code for creating i-frame virus

Once attackers found a vulnerable PHP script they first detected the directory hierarchy on the web site. In case of the sample PHP script , it looked like this:

for ($i = 3; $i < 500; $i++) {
if ($i == 438) continue;
flush_buffer('/home/sites/site' . $i . '/web:
');
iframe_account(array('/home/sites/site' . $i . '/web'));
}

From the code snippet above, you can see that all sites have their document root directory set as /home/sites/site[number]/web. The loop creates an array which is then passed to another function called iframe_account().

This function takes every director and performs a recursive search for 4 file types:

$file_types = array('php', 'htm', 'html', 'tpl');

It then opens the files and searches for the “” tag which is replaced with the malicious iframe and properly closed:

$iframed_content = str_replace(/'/', '', $content);

And lol – a mass attack happened.

Chance of virus attack and solutions.

Name : Flame.so / Flame.php
Appeared : Summer & Fall 2005
Uses : PHP's Dynamic Loader function - dl()

Description: Attackers exploit insecure PHP scripts to
load flame.php and flame.so on the server. The
attacker then accesses flame.php which loads
flame.so as a PHP module. The active PHP module
injects malicious code within each PHP page.

Systems Affected: Any system with dl() function
enabled

Disable dl() in php.ini
– enable_dl = Off
The specific flame.so exploit has been patched in
PHP 4.4+ but can still be seen in different variations
due to the nature of the dynamic loader function



============================================

Name: Apache DSO
Appeared: Summer & Fall 2007
Uses: Apache's Dynamic Module Support

Description: Attackers exploit an insecure script to
place custom Apache module on the server. The
attackers then use a specially crafted URL to load the
module using Apache's Dynamic Module support.
This allows malicious code to be served into each
request.

Systems Affected: Any system running Apache 1.3.34
and lower

Uses a technique introduced in Phrack to ensure
code modification persists to new Apache children
http://www.phrack.org/issues.html?issue=59&id=8&mode=txt


============================================

Name: Random JavaScript Toolkit
Appeared: Fall & Winter 2007 and Early 2008
Uses: Root SSH Access

Description: Attackers gain root login information using
viruses placed on a user's PC. This virus sends all
login information used on that PC to a master server
where it is logged and used to install a rootkit which
serves malicious content into random web requests.

Systems Affected: RedHat 4/5, CentOS 4/5

Modifies 7 System Binaries
– /sbin/ifconfig
-/sbin/fsck
– /sbin/route
-/bin/basename
– /bin/cat
-/bin/mount
– /bin/touch
Technically not a loadable module (LKM), modifies
kernel directly through /dev/mem

Injects IFrame text into pages, after the body tag
Sometimes random, sometimes consistent


Need to have root to modify the binaries
The infected binaries ensure the rootkit persists after
a reboot
Someone logs in as root without brute force
Found simple port 22 passwords, and also
convoluted passwords on random ports
Attacker installs a rootkit based on Boxer
Serves malicious code to random web requests
without any direct html modification


=============================================

Name: Gozi
Appeared: Spring 2007
Uses: Login credentials
Internet Explorer lets Winsock handle SSL, Gozi
hooks this
Also takes all client certificates from the Windows
certificate store

Requests are encrypted and repeated to a data
collecting machine via HTTP in real time
Protocols like FTP, SMTP, IMAP, POP, HTTP all use
plain text
In order to obtain passwords, just watch the Ethernet
traffic
It's easy to download Winpcap and windump
Tools have existed for years in Linux that use
libpcap and grab all login information from plaintext
protocols

Attention to web developers about massive hacking attack

It looks like the attack usually has two stages.

• Account passwords harvesting. On the first state they collect passwords for the accounts. We can call this stage "account passwords harvesting". Details on how they do that are fuzzy. The truth is that on a typical Linux server it might enough to get just one user account password to be in a reasonably good position to get the root via some king of little known or unpatched exploit. Zones and jails are better in this respect as they protect other users from easily compromised "suckers" who happily use passwords like 123456 or use infected with spyware PCs at home. Actually the complexity of the password should be beefed up to at least 8 characters. But this does not help if the user computer is infected with a keylogger. ISPs need to handle vastly difference classes of users and security is always as good as the weakest link.

• On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage "mass modification of index files". It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (ie. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document. That might be because of different tools of different version/modes of work of MPACK. But there are other cases when all documents were modified by replacing HEAD tag