Search results backed worm attacking PHP scripts in the wild December 25th

Following up with the recent phpBB worm is a new thing derived from the Santy worm out there (the original is supposedly “smacked down” by Google by now) trying to exploit random PHP scripts’ potential lack of stripping user supplied input. According to a report on full disclosure and heise online it’s backed by Google search results indicating that a PHP script accepts GET options in its query string.

Once a potential victim has been found, the script spawns HTTP GET requests with command strings attached which are then executed as the webserver user if the web developer didn’t pay close attention to the aforementioned user supplied input. A wget process is spawned downloading additional helper applications such as an IRC client and an additional copy of the worm itself to ‘own’ additional servers. The IRC client meets up with other hacked servers in a dedicated IRC channel waiting for orders from the worm author.

As the attack patterns (and there’s a lot of them, freshmeat.net alone received more than 5,000 requests with this pattern so far) all have the same root URL in common (visualcoders.net), it’s pretty easy to lower your personal risk of a successful attack (especially if you don’t fully trust 3rd party PHP scripts for example) by the following mod_rewrite rules in your Apache config (this works for both Apache 1.3 and 2.0):

RewriteEngine On RewriteCond %{QUERY_STRING} visualcoders.net RewriteRule (.*) $1 [F]

This also works globally in your `httpd.conf` or `apache2.conf` respectively and simply returns a `403 Forbidden` error as soon as someone tries to access a URL with the string `visualcoders.net` in its query string.

Please make sure you follow the discussion about this worm as additional root URLs might turn up soon which requires tweaking your mod_rewrite rules a bit.