http://www.viruslist.com/en/weblog
http://isc.sans.org/diary.php?date=2004-12-21 Cheers, Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Alex Schultz > Sent: 21 December 2004 15:32 > To: [email protected] > Cc: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm > > Some of the sites I administer were alledgedly hit by a worm > last night. > It overwrote all .php/.html files that were owner writable > and owned by apache. The worm put the following html in > place of what was there: > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML> > <HEAD> <TITLE>This site is defaced!!!</TITLE> </HEAD> <BODY > bgcolor="#000000" text="#FF0000"> <H1>This site is > defaced!!!</H1> <HR> <ADDRESS><b>NeverEverNoSanity WebWorm > generation 17.</b></ADDRESS> </BODY> </HTML> > > We were running apache 2.0.52 and php 4.3.9. Have any of you > encounted this before? Also is there anything I should be > aware of such as a possible binary that may have been > dropped? Could this have been accomplised by the upload path > traversal vulnerability? Google returns nothing. > > > Thanks > -Alex Schultz > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
