Daley Ponderings

After a slightly hectic day yesterday, when I noticed some strange behavior on one of my servers, we released a new version of LifeType.  While I am not impressed that the bug existed in the first place, I think it is pretty neat that a development fixed was released within 4 hours of the bug being discovered, and an official release within 36 hours.  The last time we had a security issue, we released the fix in less than 24 hours, but it is harder on a Sunday.

The security issue itself wasn't all that interesting - we were checking a blacklist in a case-sensitive manner, and so filename.PHP was incorrectly allowed to be uploaded, and filename.php was correctly blocked.

What was interesting was what the Iranian hacker was doing once he uploaded the script.  It turns out he actually uploaded the script a month ago, modified my customer's home page (just added a link to his own site) and then came back now to actually do his "real" work.  My theory is that perhaps there are people who get paid $5 for every web site they figure out how to hack into, and give the URL to the payer.  Then, they payer gets around to actually logging (manually) and setting up his attack.  In this case, they used my customer's account to try to crash another bulletin board.  They weren't trying to actually get access to it, just bring it down to be annoying.  I forgot to save the name of the site they were trying to bring down, so I can't contact them to see how they fared, but like the previous spammer code I looked at, this one was also quite nifty.  Some Russians distribute some PHP code that is fairly obfuscated (I almost gave up trying to figure out how it worked, but managed to finally get it unobfuscated) that prints a handy web page that allows an attacker to view information about the server, check /etc/passwd for insecure accounts, run whatever program he wants (and download the source and compile if needed), auto-update the software from the Russian site if there is an upgrade, email logs of the progress, etc.