DoS Tool: 403.php

Labs Note

One of our analysts, Kaushal Bhavsar, found a malicious DoS file within a compromised website’s filesystem under the filename 403.php.

malicious DoS under the filename 403.php

Aptly named after 403 error which can occur when users are denied access to a particular area of a website, the file attempts to conceal itself from casual viewers by loading a blank white page whenever a visitor loads the file directly in their browser.

To execute malicious code in the file, the visitor needs to pass two URL parameter values, time and host, through a submitted GET request. These two variables store modifiable values for the DoS attack, which the attacker can execute when they submit their request.

The time and host values let the PHP script know how long to run the attack (time) and against whom (host). Once the attacker knows the values they want to use, they can simply submit a GET request with the special parameter values.

Here is an example of a successful attack request shown in the browser, but this request could be sent from any HTTP client.

malicious DoS using GET request with special parameter values

A single website with this malicious file is not much of a threat to most servers and can be quickly blocked, but unprotected servers or clients could face issues if under attack from many different infected websites or host devices (e.g botnet).

The tool performs the attack by flooding UDP packets to the host through a port randomly chosen between 1-65000.

malicious DoS tool performs attack by flooding UDP packets to the host

You May Also Like

Large scale TDS redirections

Lots of compromised sites redirecting to TDS: http://1151.website.snafu.de/hkkj.html?h=1475928 http://adaptpro.co.uk/mwhi.html?h=1380448 http://aennekens.de/hozs.html?h=1180315 http://afamontserrat.org/zapn.html?h=877095 http://afhwarranty.us/wmcs.html?h=1235327 http://aklmn.com/mzos.html?h=1216229 http://alghuraba.co.uk/owes.html?h=1364764 http://app.2need.net/hwed.html?h=617164 http://appprices.com/heos.html?h=1168480 http://arlington9to5.com/mccf.html?h=423540 http://ashneh.in/zopn.html?h=841597 http://babylonproduction.com/wmcf.html?h=557620 http://badmintonscreensaver.com/ehai.html?h=1333181 http://bcitec.com/amms.html?h=1232317 http://belve.fr/wzai.html?h=1244948 http://belve.fr/wzpn.html?h=847683 http://bestofbec.com/hkgb.html?h=1507945 http://bestofbec.com/hmgn.html?h=809281…
Read More