Analysis of Redkit vulnerability exploitation package in the Boston bombing

Source: Internet
Author: User

Redkit participated in recent spam hacking activities on the NBC website and the Boston bombing. Security experts analyzed that it may be being targeted at the use of WEB servers (such as Apache and Nginx), and may be installed on the server itself for theft.

First, let's see how redkit works:

When a victim browses a Web site that has been exploited by an attacker, it is usually redirected to an attack carrier. This redirection has several different phases, but over the last few months Sophos security companies have found TROJ/IFRAME-JG blocks to be used frequently.

The following figure shows that the iframe injection page is easy to see:

The initial redirection (usually an iframe) to another legal site, but its server has been cracked (this is the first-stage redirection ). Then redirect to the root interface of the target Web server on a 4-character. htm or. html page. For example:

Compromised_site.net/dfsp.html

Compromised_site.com/zpdb.html

Respond to an HTTP301 redirection from this redirection (this is the second-stage redirection ).

Redirection: the attacker is directed to the used Web server, which adds a 4-digit. htm or. html page.

In this case, malicious content is loaded with malicious JAR files on a login page to launch attacks.

However, Redkit only targets JAVA Vulnerabilities.

Currently, the logon pages are slightly different, for example, using JNLP (java Network loading Protocol ):

For victims, malicious content is transmitted by intruding into the web server (second-stage redirection. However, later I found that the content will never be stored on the Web server.

On the contrary, redkit uses the compromised web server to load a PHP shell for management. The PHP shell is responsible:

Redirects the first stage of the bullet to another server (randomly selected ). PHP shell connects to a remote command control (C & C) server of redkit to obtain a list of other malicious websites (updated every hour.

Provides malicious login pages and JAR content to victims. Is this loaded from the disk? Instead, it is downloaded through the C & C server HTTPS (using curl ). Therefore, PHP shell basically acts as a proxy for malicious content.

PHP shell Troj/PHPRed-

The PHP shell works with A. htaccess file to guide the necessary PHP scripts for incoming HTTP requests (4 characters htm/html file.

The following figure shows this point.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.