The itsoknoproblembro distributed denial of service (DDoS) toolkit threatens web content management systems by infecting servers with malicious PHP scripts. This cybersecurity threat advisory includes profiles of 11 different attack signatures with detailed SNORT rules for DDoS mitigation and detection rules to identify infected web servers (bRobots). The report also includes a free log analysis tool (BroLog.py) that can be used to pinpoint which scripts were accessed, the IP address used and the specific DDoS targets, to aid sanitization efforts.
Throughout the fall of 2012, a very public DDoS campaign emerged that targeted multiple sectors with unprecedented levels of malicious DDoS traffic. The attacks made use of thousands of compromised web servers and a multi-tiered attack-and-control topology.
Attackers made use of vulnerabilities within outdated versions of the applications or exploited public vulnerabilities within third-party plugins or themes.
Servers that contained the itsoknoproblembro toolkit often showed evidence of multiple points of compromise and were being used for multiple malicious purposes, such as spam and phishing. This outcome suggest two possibilities:
In either case, the end result was a large number of zombied web servers that were able to generate in excess of 70Gbps of DDoS traffic at their peak.