I'd like to make a joke out of them using PHP, and writing terrible PHP at that. We're guessing many of these bugs will be fixed, but it may take a while for DDoS users to apply a patch. In addition to a failure to clean up malicious SQL commands, Pandora contains coding errors that cause infected machines to send broken HTTP requests to C&C servers.
The previously reported attack on the Krebs site consisted of "several hundred systems repeatedly requesting image-heavy pages." One ad for the new tool claims that it needs just 10 infected computers to bring down an unhardened site, or just 1,000 bots to slow response times for Russia's most popular search engine. Pandora, which boasts new functionality that makes DDoS attacks more powerful, was recently used against security journalist Brian Krebs's KrebsOnSecurity site. The omission is present even in Pandora, the newest member of the Dirt Jumper family. Witness, for example, the lack of "input sanitization" in the mysql_query function of the following PHP code: ip=$_POST The vulnerabilities stem from amateur coding mistakes made by the Dirt Jumper developers. Prolexic said the attacks can be wielded by rival malicious actors, researchers, DDoS victims, law enforcement agents, and "any other interested party in possession of a C&C identity." The attacks work against a variety of variants in the Dirt Jumper family, which Prolexic says is among the most popular DDoS attack tools on the market today. DDoSers kept radical transparency website WikiLeaks offline for 10 days, and BitTorrent tracker Demonoid was also out of commission thanks to the attack technique. The manual comes as DoS attacks have surged 82 percent since June 2011, according to a recent report by Arbor Networks. In 2010, security researcher Billy Rios devised a script that exploited vulnerabilities in the ZeuS crimeware kit, a feat that allowed him to hijack the servers that fed commands and updates to hundreds of thousands of infected computers. It's not the first time white hat hackers have identified crippling holes in blackhat software tools. Readers are encouraged to seek competent legal advice before trying any of the techniques described here. What's more, using pilfered credentials to access someone else's account may be illegal, depending on where the hacker and DDoS server are located. It remains unclear just how easy it is to locate the server address of a Dirt Jumper C&C, although it wouldn't be surprising if the software transmits a unique signature that can be detected using port-scanning software or other tools. Var/It triggers a SQL-injection vulnerability in Dirt Jumper that dumps the name of the configuration file for the underlying server, as shown in the following screenshot: p k -data="k=" -technique=t -dbms=mysql -fileread=”/ Compromise of the server's Web application can then be used to perform a DIY downing of the host server.
They are simple PHP/MySQL scripts that are pieced together to manage the infected bots."Ī handful of command-line strings, the open-source penetration-testing tool SQLMap, and knowledge of a command server's location are pretty much all that's required to gain access to its back-end database and server-side configuration files. "The weakest link within this malware family is the insecure coding practices used in the creation of the C&C panels. "The authors of this malware overlooked security for critical portions of its toolkits," the Prolexic researchers wrote in the report, which can be downloaded here, after completing the Web form at the right side of the page. The manual was published on Tuesday by researchers with DDoS mitigation provider Prolexic. By targeting SQL injection flaws in the software-which is sold for thousands of dollars in underground forums-counter-attackers can commandeer the master control servers used to distribute commands to large numbers of infected computers, which act as foot soldiers in such attacks. The do-it-yourself how-to provides instructions that even hacking novices can follow to exploit critical vulnerabilities in "Dirt Jumper," a family of tools used to wage the crippling denial-of-service attacks.
#Dirt jumper ddos tool kit how to
Turning the tables on miscreants who paralyze websites with torrents of junk data, security researchers have published a detailed manual that shows how to neutralize some of the Internet's most popular denial-of-service tools.
0 kommentar(er)
