Reacties op: Keygenguru malware injection on server http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html When communication is needed Sun, 09 May 2010 22:00:14 +0000 http://wordpress.org/?v=2.9.1 hourly 1 Door: smaert http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html/comment-page-1#comment-931 smaert Wed, 18 Nov 2009 17:57:32 +0000 http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html#comment-931 Hi, This looks like the same issue that I spent many days trying to fix. I've traced this to a vulnerability with php and inherited file descriptors being used to 'take over' apache children and serve malicious redirects. I written much on this subject, including how to find the source of the problem, how to test if your webserver is vulnerable, and many details surrounding this clever attack. Please read: http://smaert.com/apache_mischief/writeup.txt Regards, smaert Hi,

This looks like the same issue that I spent many days trying to fix.

I’ve traced this to a vulnerability with php and inherited file descriptors being used to ‘take over’ apache children and serve malicious redirects.

I written much on this subject, including how to find the source of the problem, how to test if your webserver is vulnerable, and many details surrounding this clever attack.

Please read:

http://smaert.com/apache_mischief/writeup.txt

Regards,
smaert

]]> Door: Robin http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html/comment-page-1#comment-929 Robin Mon, 16 Nov 2009 07:38:44 +0000 http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html#comment-929 it uses a galleryscript most of the time to upload an image (jpg, gif, ...). After that they use that to execute a script in place of showing the image, because the file they uploaded is not an image but a script, this script will do some nasty things and make the popups and blanc pages! it uses a galleryscript most of the time to upload an image (jpg, gif, …). After that they use that to execute a script in place of showing the image, because the file they uploaded is not an image but a script, this script will do some nasty things and make the popups and blanc pages!

]]> Door: Tristan http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html/comment-page-1#comment-928 Tristan Sun, 15 Nov 2009 20:59:18 +0000 http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html#comment-928 Any idea on what attack vector it uses to infect sites? Any idea on what attack vector it uses to infect sites?

]]> Door: Robin http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html/comment-page-1#comment-926 Robin Mon, 09 Nov 2009 06:42:48 +0000 http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html#comment-926 yes we have fixed the problem. yes we have fixed the problem.

]]> Door: Bonus http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html/comment-page-1#comment-924 Bonus Sun, 08 Nov 2009 21:22:08 +0000 http://blog.cauwenbergh.be/no-category/keygenguru-malware-injection-on-server.html#comment-924 Did you fix it? We have same problem too... Did you fix it? We have same problem too…

]]>