Running on someone elses platform - scammers uploading and running PHP phishing on the cheap

November 02, 2006 at 10:19 AM | categories: python, oldblog | View Comments

Some people think that in the future, generally speaking, we (a very amorphus indescript "we") will be running all our systems and services of their (another amorphus blob) platform. People point to web services as one key example where this is true. Another place that's pointed at is places that will host mashups. All well and good (well, actually, I'm not personally enamoured with the idea, but that's not what this post is about). However I recently, by accident, discovered what I believe to be a malware example of this. They're doing it for personal enterprise reasons, and they're risking a lot by doing so. Why? Because they're a phishing scammer.

Yep, I received a phishing email, and the fake login.php appears to have been placed on an innocent third party's website - because it allowed uploads (anonymously or otherwise), and the upload location will run arbitrary php files. (Probably due to a bad gallery style application in this case))

How long have people been doing this? Dunno. I tend to file all such scam mails in the circular inbox, but it's a new one on me. Checking inside there shows that all the others I still have copies of are all using cgi-bin's which is a lot harder than just uploading a file and saying "run this".

The scammer needs no serving resources, no resources for sending the emails, in fact the barrier to entry is almost non-existant - just find a site that allows uploads and runs arbitrary uploaded code. People complain about windows machines allowing arbitrary execution of code, but this is far worse - this is directly akin to saying "hey, upload random code to me and do what you like". It's more or less the modern equivalent of putting a machine on the internet running telnet or ssh, but without and password set for root.

It's also rather nasty - someone who runs a server in such a mode, also probably won't be able to do the correct forensics to track down where things came from. Delightful. If anyone's curious, the subject line of this phishing scam is "Please authenticate and update your account by checking the link below immediately" - you've probably got a copy.

As a result, please, unless your system for uploads is designed for handling code, please have someway of ensuring that whatever is uploaded cannot be run. This comment comes around with every mechanism for sharing, and I almost can't believe you have to say it, and yet you do. Hopefully though someone from Django & TurboGears will go "ooh, if we provide a safe mechanism for doing that, everyone will want to compete with us and implement it too " :-) It won't solve all the problems, but it'd be a cool start.

One of these days, people will learn :-/

blog comments powered by Disqus