[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Full-Disclosure Digest, Vol 1, Issue 2120

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Re: Full-Disclosure Digest, Vol 1, Issue 2120
From: Justin Mason <justin.mason@xxxxxxxxxxxxxxxx>
Date: Tue, 21 Dec 2004 10:05:11 -0800

full-disclosure-request@xxxxxxxxxxxxxxxx wrote:

Send Full-Disclosure mailing list submissions to
        full-disclosure@xxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request@xxxxxxxxxxxxxxxx
You can reach the person managing the list at
        full-disclosure-owner@xxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Today's Topics:

1. Possible apache2/php 4.3.9 worm (Alex Schultz)

----------------------------------------------------------------------
Message: 1
Date: Tue, 21 Dec 2004 07:32:20 -0800
From: "Alex Schultz" <aschultz@xxxxxxxxxxxx>
Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm
To: <full-disclosure@xxxxxxxxxxxxxxxx>
Cc: gentoo-security@xxxxxxxxxxxxxxxx
Message-ID:
        <685F5668BEFF12479A66F1204BF59BF1803DB8@xxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain;       charset="us-ascii"
Some of the sites I administer were alledgedly hit by a worm last night. It overwrote all .php/.html files that were owner writable and owned by apache. The worm put the following html in place of what was there: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML> <HEAD> <TITLE>This site is defaced!!!</TITLE> </HEAD> <BODY bgcolor="#000000" text="#FF0000"> <H1>This site is defaced!!!</H1> <HR> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> </BODY> </HTML>
We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?  Also is there anything I should be aware of such as a
possible binary that may have been dropped?  Could this have been
accomplised by the upload path traversal vulnerability?  Google returns
nothing.
Thanks
-Alex Schultz
------------------------------
_______________________________________________
Full-Disclosure mailing list
Full-Disclosure@xxxxxxxxxxxxxxxx
https://lists.netsys.com/mailman/listinfo/full-disclosure
End of Full-Disclosure Digest, Vol 1, Issue 2120 ************************************************

Alex:

Your version of php, according to Hardened PHP was vulnerable to a series of "easy to exploit" vulnerabilitys. Interested to know wether you were in fact running any of the software they mentioned, phpbb/phpads(new)/Invision etc.

Take a look, http://www.hardened-php.net/advisories/012004.txt - that quite well may be the reason.

Best of luck!
Justin Mason
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] OpenSSH is a good choice?
Next by Date: [Full-Disclosure] Re: Worm hitting PHPbb2 Forums
Previous by thread: [Full-Disclosure] RE: Worm hitting PHPbb2 Forums
Next by thread: [Full-Disclosure] header intact.
Index(es):
- Date
- Thread