Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: A Puzzlement... - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Puzzlement...

Perhaps I'm getting old and unimaginative - but I just don't get it...

About a month and a half ago, I published a diary called "What's In A Name." In that diary, I discussed an interesting "hack," where additional names were added to DNS zone information as part of what appears to be an SEO (search engine optimization) scam.

Over the past month, I've seen several web app RFI (remote file inclusion) attacks that have been using "target files" hosted on machines with names like or  A little digging shows that these names also appear to have been added to DNS zones without the knowledge or permission of their owners.  As in the first set of these I found, those names point to a completely different machine (in fact, in a different country) that has nothing at all to do with the main domain.

So, what's the point of using one of these names?  What does this sort of obfuscation gain someone doing RFI attacks?

I'd love to hear some theories, because honestly... I'm stumped.

Tom Liston
ISC Handler
Senior Security Analyst, InGuardians, Inc.
twitter: tliston

P.S.: The folks at the web hosting company that I talked with were less than helpful.  The contents of DNS were "confidential" and they could only respond to a "client complaint." So I'm left trying to explain to some poor, clueless, mom and pop outfit that they need to contact their web host and complain about something called "DNS."  Lovely.

I keep hearing horror stories about how organizations treat people who contact them regarding security issues.  Please make sure that *your* organization truly works with anyone who reports an incident.  It's the frickin' holidays, after all...


160 Posts
Nov 28th 2011
The missing piece of your puzzle is that this is required to pass some poorly thought out input validation routines in some apps. The likely candidate here is the timthumb.php vuln detailed at;

In this case, the vulnerable code attempts to confirm it's fetching a file from one of a small list of allowed sites. It does this by requiring a regex match between a small list of allowed sites, and the parameter value. Unfortunately, the regex isn't anchored, so and are both accepted.

If you're URI doesn't have a string matching one of the whitelisted domains, your code won't execute.
Jeff- I was so focused on the name hack that I failed to look closely enough at the attacks. You're EXACTLY correct... Thank you!

160 Posts

Sign Up for Free or Log In to start participating in the conversation!