DNS Pharming through PHP Injection: Attack Scenario and Investigation

Full Text (PDF, 989KB), PP.21-28

Views: 0 Downloads: 0

Author(s)

Divya Rishi Sahu 1,* Deepak Singh Tomar 1

1. CSE Department, MANIT, Bhopal, 462003, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2015.04.03

Received: 5 Jun. 2014 / Revised: 10 Oct. 2014 / Accepted: 26 Nov. 2014 / Published: 8 Mar. 2015

Index Terms

PHP Code Injection, Command Injection, DNS Pharming, Attack Scenario, Cyber Forensics, Script Kiddie

Abstract

With the increase in technology, Internet has provided set of tools and technologies which has enabled web programmers to develop effective websites. PHP is most widely used server side scripting language and more than twenty million of web sites are designed through PHP. It has used as a core script in Web Content Management System (WCMS), such as Joomla, WordPress, Drupal, SilverStripe etc. PHP has also security flaws due to the certain vulnerabilities such as PHP injection, remote file inclusion and unauthorized file creation. PHP injection is a variant of code injection attacks in which PHP script may be exploited to execute remote commands. The contribution of this paper is twofold: First, it presents a unifying view of PHP injection vulnerability, which causes alteration in the ‘hosts file’; Second, It introduces an investigation process against alteration in ‘hosts file’ through PHP injection. This attack has been introduced as a type of DNS pharming. In this investigation process a chain of evidence has been created and an algebraic signature has been developed to detect explained attack.

Cite This Paper

Divya Rishi Sahu, Deepak Singh Tomar, "DNS Pharming through PHP Injection: Attack Scenario and Investigation", International Journal of Computer Network and Information Security(IJCNIS), vol.7, no.4, pp.21-28, 2015. DOI:10.5815/ijcnis.2015.04.03

Reference

[1]W3Techs, “Usage of server-side programming languages for websites”, [Online]. Available: http://w3techs.com/technologies/overview/programming language/all [Accessed: 10 August 2014].
[2]R. Bassil, R. Hobeica, W. Itani, C. Ghali, A. Kayssi, A. Chehab, “Security analysis and solution for thwarting cache poisoning attack in the domain name system”, in 19th Int. Conf. on Telicommunication (ICT), pp. 1-6, IEEE, Jounieh (2012), DOI:10.1109/ICTEL.2012.6221233
[3]Yu Xi, Chen Xiaochen, Xu Fangqin, “Recovering and protecting against DNS cache poisoning attacks”, in Intl. Conf. of Information Technology (ICIT), Computer Engineering and Management Sciences, IEEE Computer Society, pp. 120-123. Nanjing, Jiangsu(Sept., 2011), DOI:10.1109/ICM.2011.266.
[4]T. Mantoro, S. A. Norhanipah, A. F. Bidin, “An Implementation on Domain Name System Security Extensions Framework for the Support of IPv6 Environment”, in Int. Conf. on Multimedia Computing and Systems (ICMCS), pp. 1-6. IEEE, Ouarzazate (April, 2011) DOI: 10.1109/ICMCS.2011.5945627.
[5]M. Janbeglou, M. Zamani and S. Ibrahim, “Redirecting outgoing requests toward a fake DNS server in a LAN”, in IEEE Int. Conf. on Software Engineering and Service Sciences (ICSESS), pp. 29-32. Beijing (July-2010) DOI: 10.1109/ICSESS.2010.5552339.
[6]Dr. Wenliang, “DNS Pharming Attack Lab”, [Online]. Available: http://www.cis.syr.edu/ wedu/seed/Labs/Attacks DNS/DNS.pdf [Accessed: 19 September 2013].
[7]OWASP: “OWASP top 10-2013 the ten most critical web application security risks June 2013” [Online]. Available: https://www.owasp.org/index.php/Top 10 2013-Top 10 [Accessed: 1 July 2013].
[8]Dr. E. Benoist, “Injection Flows (part 2) Shell Injection, PHP Injection, XML Injection, 2013 [Online] Available: www.benoist.ch/SoftSec/slides/injectionFlows/slidesInjectionFlows2.pdf [Accessed: 17 August 2013].
[9]Arthur Gerkis, “Obvious and not so obvious PHP code injection and evaluation” 20th May-2010, [Online]. Available: http://phpsecurity.org/2010/05/20/mops-submission-07-our-dynamic-php/ [Accessed: 11th August 2013].
[10]Avi Kak, “Lecture 27: Web Security: PHP Exploits and the SQL Injection Attack”, April-2013, [Online]. Available:https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture27.pdf [Accessed: 17 August 2013].
[11]Ioannis Papagiannis, Matteo Migliavacca, Peter Pietzuch, “PHP Aspis: Using partial taint tracking to protect against injection attacks” in Proc. of 2nd USENIX Conf. on web application development, pp. 13-24. USA (June, 2011).
[12]Bruce J. Nikkel, “Domain name forensics: a systematic approach to investigating an internet presence”’ in Int. J. of Digital Forensics & Incident Response-Elsevier, vol: 1, pp. 247-255 (2004).
[13]Lan Green, “DNS spoofing by the man in the middle SANS Institute”, January-2005 [Online]. Available: http://www.sans.org/readingroom/whitepapers/dns/dns-spoofing-man-middle-1567 [Accessed: 28 July 2013].
[14]Chet Hosmer, “Time lining computer evidence”, [Online]. Available: http://www.wetstonetech.com/f/timelining.pdf [Accessed: May 25, 2013].
[15]Ali Reza Arasteh, Mourad Debbabi, Assaad Sakha, Mohamed Saleh, “Analyzing multiple logs for forensic evidence” in Int. J. of Digital Forensics & Incident Response- Elsevier, Vol: 4, pp. 82-91, (September-2007) DOI:10.1016/j.diin.2007.06.013.
[16]Dr. Eric Cole, “Constructing Attack Scenarios for Attacker Profiling and Identification”, [Online]. Available:http://www.securityhaven.com/docs/ConstructingAttackScenariosforAttackerProfilingandIdentificationv6.pdf [Accessed: 30 June 2013].
[17]K. K. Sindhu and Dr. B. B. Meshram, “Digital Forensic Investigation Tools and Procedures”, in inter. J. Computer Network and Information Security, Vol: 4, Issue: 4, pp. 39-48 (2012).
[18]Brendan Dolan-Gavitt, “Forensic analysis of the Windows registry in memory”, in Int. J. of Digital Forensics & Incident Response- Elsevier, vol: 5, pp. S26-S32 (2008).