[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Possible apache2/php 4.3.9 worm

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm
From: "Alex Schultz" <aschultz@xxxxxxxxxxxx>
Date: Tue, 21 Dec 2004 07:32:20 -0800

Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.  The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
 <HTML>
 <HEAD> 
 <TITLE>This site is defaced!!!</TITLE> 
 </HEAD>
<BODY bgcolor="#000000" text="#FF0000"> 
<H1>This site is defaced!!!</H1> 
<HR> 
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?  Also is there anything I should be aware of such as a
possible binary that may have been dropped?  Could this have been
accomplised by the upload path traversal vulnerability?  Google returns
nothing.


Thanks
-Alex Schultz


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
  - From: Ron Brogden
- Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
  - From: Paul Schmehl
- Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
  - From: Pamela Patterson
- Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
  - From: Juan Carlos Navea

Prev by Date: Re: [Full-Disclosure] [ZH2004-18SA]Firefox/Opera-bypass of security restrcition by Content-Type spoofi
Next by Date: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
Previous by thread: [Full-Disclosure] [ GLSA 200412-14 ] PHP: Multiple vulnerabilities
Next by thread: Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
Index(es):
- Date
- Thread