Wednesday, June 30, 2010

Rest my chemistry

I have worked on and looked after systems for over a decade, in that time I have seen many security breaches. They have ranged from serious taking out an entire school network for a couple of days, to defacement on a webpage. Each time different factors took their toll.

The most recent attack was against the lan party website. A vulnerability in the content management system E107 allowed an attacker to upload a script file to my site. A file "fwriteq.php" a modified version of a php example file. When a remote attack to request the page using a specific URL the page outputted a huge amount of junk traffic towards an IP address given in the request string.

The weird thing about it was that it created UDP datagrams. In response I cleaned up the site and altered the firewall to block outgoing traffic of type UDP on port 80 as this is invariably junk.

I went through the logs and found the command and control IP which were sending in the requests for traffic and then emailed the abuse contact. BT owned 2 of them and I received no response (another reason not to recommend them). One of them was a linode box, they replied and asked for more details which I sent on to them.