Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
More than 151,000 domains held by US hosting provider Dreamhost have been targeted by attackers exploiting a dangerous and long-standing PHP vulnerability.
As reported by SC Magazine, the PHP-CGI vulnerability had existed since 2004 and allowed remote code execution on current versions of the language.
The hole has now been patched, but only after preceeding fixes (versions 5.3.12 and 5.4.2) failed to work.
Some 230,000 attacks against the hosts directly attempted to exploit the vulnerability, according to SpiderLabs which obtained the figures from Dreamhost.
The attacks attempted to install webshells and backdoors on targeted machines, analysis from Spiderlabs' honeypots revealed.
One string of attacks had tried to upload a RFI file PHP backdoor program and then write a crude mod_rewrite fix to close off the PHP vulnerability, in efforts to prevent other attackers gaining access.
''.chr(10). 'RewriteEngine On'.chr(10). 'RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]'.chr(10). 'RewriteRule ^(.*) $1? [L]'.chr(10).
''.chr(10). 'RewriteEngine On'.chr(10). 'RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]'.chr(10).
'RewriteRule ^(.*) $1? [L]'.chr(10).
The PHP-CGI flaw was publicly disclosed, reportedly in error, to Reddit following the issuance of the patches but before the fixes were found to have failed. Researcher Steffan Esser was the first to note the failure.
The vulnerability was discovered during a capture-the-flag event at the Nullcon event last year by Dutch security firm De Eindbazen.
Users can apply an interim fix using Spiderlabs' code which it said was better than others because it closed off vulnerability to the RFI attack.
SecRule QUERY_STRING "^-[sdcr]" "phase:1,t:none,t:urlDecodeUni,t:removeWhitespace,block,log,msg:'Potential PHP-CGI Exploit Attempt'"
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
