12 May 2007 14:25 GMT
W4ck a Site
A few of the phishing attacks intercepted today targeted Poste Italiane Group (think yellow and blue). Nothing unusual there, but whilst digging a little further into one of the attacks things became a little more interesting.
The call to action within the phishing attack pointed to content hosted within the Coppermine gallery area of an innocent domain. Anyone following the link was presented with a fake login page to Poste Italiane. Poking around some more within the gallery directories I found some other interesting files:
The postenew directory contains the page that redirects to content used for the Poste Italiane phish (the content is hosted on another compromised web server!). Browsing the wss directory reveals content for an eBay phishing attack:
The most interesting file is 404.php, (not so) cunningly masquerading as a legitimate error page. Closer inspection reveals it is actually a shell, used by the hackers to gain remote access.
There are many similar shells widely used. This particular one goes by the name of w4ck1ng-shell. It provides the hackers with an interface to perform all sorts of administrative activity on the web server (much akin to the functionality provided by legitimate web server admin consoles).
The other files in the directory provide the hacker with the ability to run a SOCKS proxy on the web server.
And the moral of the story?
- If you manage a site and do not use functionality that may be enabled by default (guestbook, forum, gallery, content management and the like) - disable it.
- If you do use such functionality, ensure it is installed properly (securely) and kept patched.
- Review your site security - simple steps such as tracking files present on the server can identify malicious activity early.
- Review log files to identify potential attacks.
Fraser Howard, SophosLabs UK
