lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 21 Feb 2006 20:20:06 +0100 (CET)
From: Christine Kronberg <Christine_Kronberg@...ua.de>
To: Gadi Evron <ge@...uxbox.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]


On Mon, 20 Feb 2006, Gadi Evron wrote:
> Christine Kronberg wrote:
>> On Sun, 19 Feb 2006, Gadi Evron wrote:
>> 
>>> Today, we received a notification about a new Linux malware ItW (In the 
>>> Wild).
>> 
>>   They are not exactly new. I've seen them floating around for about
>>   two months now. There a different binaries running around doing the
>>   same work (different the way that they have been compiled on different
>>   linux distributions). Part of that work is to be distributed by trying
>>   to get in via vulnerable php scripts. Look to me like being part of a
>>   worm.
>
> Indeed, the most annoying thing about the PHP worms today is that these PHP 
> vulnerabilities being exploited are everywhere.
>
> As I already mentioned, this recent Linux worm has more to it, but that's in 
> another post.

   I know. The first time I got that "double" was on 15.12.2004.
   Actually there four components to most of the attacks. There are
   the two programs you are talking about. And there are two scripts
   acting as helpers to download the stuff.

> These vulnerabilities being exploited are very difficult to protect from 
> because:
> 1. PHP is the "serious" or at least open-source/Linux/security freak's choice 
> for web development. Mine as well (although as many still say, Perl does a 
> better job).

   As I'm not familiar with php I'm not sure if php is the problem.
   To me it seems more likely that problem lies in the way people
   "program" their webapplications.

> 2. Developing secure applications in PHP is difficult, as one of PHP's 
> creators said recently - even to him after years of trying.
>
> 3. Staying on top of new PHP vulnerabilities has become impossible, popping 
> around everywhere.

   I do not see so much php vulnerabilities but vulnerabilities in
   application written in php - written by people not thinking about
   input validation, not thinking about buffer overflows.

> One note I'd like to make, is that even if the second (interesting) payload 
> in the Linux worm wasn't there, just because someone utilizes old malware in 
> the creation of new malware doesn't mean it is new, or 99.9% of any "virus" 
> every written would be old.

   See above. The second part was in there since at least 15th of December
   last year.

   Cheers,


                                                      Christine Kronberg.

-- 
GeNUA mbH

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ