On 05/24/2012 03:53 PM, Tom Metro wrote:
Stephen Adler wrote:
Today I noticed that someone has uploaded a php file called g00nfish,
which looks to me like some kind of web server exploit code. Anyone know
the origins of such a tool?
Hadn't heard of it, but...
The way my web site is structured, there is
no way for that file to be executed, but maybe there's something about
this exploit file that I don't know and I could be vulnerable?
You're probably not vulnerable, but your site may be facilitating
attacks on other sites. The attacker might be using your site to
"launder" his IP, such that an exploit script can be coded to pull from
your storage service without the attacker needing to run a server or
exposing his IP.
(Presumably he is bouncing through anonymous proxies and other exploited
machines when he makes outbound connections. Far more convenient to pull
files from a known URL rather than trying to serve a file through all
those anonymizing mechanisms. That attack script might also run
unattended, at some unknown future date, so having a known fixed URL is
necessary.)
-Tom
Interesting. Web site is designed to keep downloads limited and I
haven't seen any so far for this file. But that's a good point you raise.
Thanks.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
