[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
- To: Alex Schultz <aschultz@xxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Possible apache2/php 4.3.9 worm
- From: Juan Carlos Navea <loconet@xxxxxxxxx>
- Date: Tue, 21 Dec 2004 13:21:38 -0500
There is some information regarding this here:
http://www.pcpro.co.uk/news/67505/santya-sparks-messageboard-infection-epidemic.html
On Tue, 21 Dec 2004 07:32:20 -0800, Alex Schultz <aschultz@xxxxxxxxxxxx> wrote:
> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache. The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML>
> <HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD>
> <BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before? Also is there anything I should be aware of such as a
> possible binary that may have been dropped? Could this have been
> accomplised by the upload path traversal vulnerability? Google returns
> nothing.
>
> Thanks
> -Alex Schultz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
http://www.loconet.ca
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html