January 2008

Remote-control device – the new gun of bank robbers

Bank robbers have found a very interesting technique.

From The Local article Police thwart remote-control bank heist:

Surprised last August to suddenly see his computer cursor moving on its own, the employee at the Knivsta branch of Swedbank, north of Stockholm, “discovered a cable connected to his computer linked to a remote control device fastened under his desk,” local police spokesman Christer Nordström told AFP.

The employee quickly pulled the plug, interrupting a transfer of several hundred million kronor, Nordström said.

And how they managed to install this remote-control device? According to the news sources during a break-in before the incident – no money had been stolen from the bank during a break-in.

A comment posted to Technocrat.net is pointing to another interesting case (from CIO Update article) confirmed as keylogger case:

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel.

Swedbank is the leading bank in Sweden, Estonia, Latvia and Lithuania with more than 21,700 employees serving 9 million private and 480,000 corporate customers.

“php shell script on my server”

Q:

I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there.  Are there known vulnerabilities that allow uploading of php files to a server?

I have several sites running on this server with several php script packages including…

Zencart
phpbb2

Any ideas or pointers will be appreciated!

A: Hi,

There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.

PHPbb has several:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=phpbb

Listed as Code Execution, Arbitrary File Upload, etc.

While zencart has just one problem:
http://www.securiteam.com/cgi-bin/htsearch?sort=score&words=zen+cart

But that could be misleading, and just mean that the software is very uncommon.