An older vulnerability in phpMyAdmin (CVE-2009-1151) is now being exploited by a botnet known as dd_ssh. Details are still emerging, but it appears that this new bot originated from 91.193.157.206 according to SANS. If the exploit of CVE-2009-1151 is successful on vulnerable phpMyAdmin installs, the files vmsplice.txt, dd.txt, and, in some instances, vm.c are downloaded from the aforementioned IP. The last of those files mentioned contains the vmsplice local root exploit (CVE2008-0600). After being compromised, the infected installations start making connections to multiple addresses on ports 54509 and 54510; most likely for command & control. SANS ISC is actively monitoring this apparent new botnet and has noticed a notable up-tick in machines scanning SSH lately.
More Info Over at SANS ISC and thanks goes to Briareos over at BroadBand Reports for the quick fact-finding and possible discovery.
Remember back in the days of Windows 95 when someone could use the OOB attack to remotely BSOD a PC? Well now you can relive your youth with a classic throwback from Microsoft! Windows Vista, 2008, and 2007 of all variants all have a similar vulnerability that allows a remote attacker take your machine down with a simple ampersand. Leave it up to Microsoft to do it all again more than a decade later.
The SMB 2.0 driver in x86 and x64 versions of Windows Vista, Server 2008, and Windows 7 are all one in the same. When sent the “&” character in the “Process ID High” SMB header, the process pagefaults and brings us the beloved Blue Screen of Death we’ve all come to know and love.
Credit goes to Laurent Gaffié and you can find the Proof-of-Concept on his blog.
My name is Kyle Jones, M32 Security is my collection of noteworthy IT and Network Security news, links, resources, and various other NetSec tidbits. If you find something interesting, feel free to register and make a comment on it or contact me.
