151,000 domains attacked via dangerous PHP hole

Powered by SC Magazine
 

PHP Group issues fix for the second time.

More than 151,000 domains held by US hosting provider Dreamhost have been targeted by attackers exploiting a dangerous and long-standing PHP vulnerability.

As reported by SC Magazinethe PHP-CGI vulnerability had existed since 2004 and allowed remote code execution on current versions of the language.

The hole has now been patched, but only after preceeding fixes (versions 5.3.12 and 5.4.2) failed to work.

Some 230,000 attacks against the hosts directly attempted to exploit the vulnerability, according to SpiderLabs which obtained the figures from Dreamhost.

The attacks attempted to install webshells and backdoors on targeted machines, analysis from Spiderlabs' honeypots revealed.

One string of attacks had tried to upload a RFI file PHP backdoor program and then write a crude mod_rewrite fix to close off the PHP vulnerability, in efforts to prevent other attackers gaining access. 

''.chr(10).
'RewriteEngine On'.chr(10).
'RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]'.chr(10).
'RewriteRule ^(.*) $1? [L]'.chr(10).	

The PHP-CGI flaw was publicly disclosed, reportedly in error, to Reddit following the issuance of the patches but before the fixes were found to have failed. Researcher Steffan Esser was the first to note the failure.

The vulnerability was discovered during a capture-the-flag event at the Nullcon event last year by Dutch security firm De Eindbazen.

Users can apply an interim fix using Spiderlabs' code which it said was better than others because it closed off vulnerability to the RFI attack.

SecRule QUERY_STRING "^-[sdcr]" "phase:1,t:none,t:urlDecodeUni,t:removeWhitespace,block,log,msg:'Potential PHP-CGI Exploit Attempt'"

Copyright © SC Magazine, Australia


151,000 domains attacked via dangerous PHP hole
 
 
 
Top Stories
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
Microsoft confirms Australian Azure launch
Available from next week.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 301

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 113

Vote