Earlier this week, several servers I maintain were targeted by automated attempts to upload a Remote access trojan (RAT). The RAT is a simple rot-13 embedded PHP Script. The script provides a means for establishing file transfer and permissions management via HTTP queries on the remote side and the dreaded eval() function on the local side - interestingly, these functions are somewhat protected; in order to work, it is necessary to provide a hash along with the HTTP query, and the length of the query string has to match the size of its associated file. Can't have someone else taking advantage of your hard work, I suppose.

The script includes a standard six-byte GIF header before the "
Developers could make attacks like these much more difficult by including more sophisticated file type checks with upload functionality. In the case of this GIF, performing a sanity check of the Logical Screen Descriptor block (must be two pair of two bytes, each 16 bit positive integers) in addition to the Header Block would have caught this as phony. Even more obviously, checking for common open tags for scripts would have caught this and similar garbage-ware (e.g. ,