[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Objet :Full-Disclosure Digest, Vol 1, Issue 2120 (De retour le mardi 28 décembre.)

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Objet :Full-Disclosure Digest, Vol 1, Issue 2120 (De retour le mardi 28 décembre.)
From: "Christophe Savin" <christophe.savin@xxxxxx>
Date: Wed, 22 Dec 2004 18:50:09 +0100

 En mon absence,  toute demande concernant les réseaux doit être envoyée au 
mail : ars_reseaux@xxxxxx ou (ars_transpac pour tout incident lié à ce réseau)

En cas d'urgence, Vous pouvez contacter :
  La Hot-line Réseaux : 01 49 15 32 53  
  François LEVEQUE au 01 49 15 30 56
  Pascal PAINPARAY au 01 49 15 31 36.
 
  Bonnes fêtes de fin d'année.
  Christophe SAVIN


>>> full-disclosure 12/21/04 18:00 >>>

Send Full-Disclosure mailing list submissions to
        full-disclosure@xxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request@xxxxxxxxxxxxxxxx

You can reach the person managing the list at
        full-disclosure-owner@xxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Possible apache2/php 4.3.9 worm (Alex Schultz)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Dec 2004 07:32:20 -0800
From: "Alex Schultz" <aschultz@xxxxxxxxxxxx>
Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm
To: <full-disclosure@xxxxxxxxxxxxxxxx>
Cc: gentoo-security@xxxxxxxxxxxxxxxx
Message-ID:
        <685F5668BEFF12479A66F1204BF59BF1803DB8@xxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain;       charset="us-ascii"

Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.  The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
 <HTML>
 <HEAD> 
 <TITLE>This site is defaced!!!</TITLE> 
 </HEAD>
<BODY bgcolor="#000000" text="#FF0000"> 
<H1>This site is defaced!!!</H1> 
<HR> 
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?  Also is there anything I should be aware of such as a
possible binary that may have been dropped?  Could this have been
accomplised by the upload path traversal vulnerability?  Google returns
nothing.


Thanks
-Alex Schultz




------------------------------

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure@xxxxxxxxxxxxxxxx
https://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest, Vol 1, Issue 2120
************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] OpenSSH is a good choice?
Next by Date: [Full-Disclosure] Re: [caudium-devel] [SECUNIA] Regarding Secunia Advisory SA13040
Previous by thread: [Full-Disclosure] [ GLSA 200412-11 ] Cscope: Insecure creation of temporary files
Next by thread: [Full-Disclosure] Re: [caudium-devel] [SECUNIA] Regarding Secunia Advisory SA13040
Index(es):
- Date
- Thread