[EMAIL PROTECTED] wrote:
Send Full-Disclosure mailing list submissions to [email protected]
To subscribe or unsubscribe via the World Wide Web, visit https://lists.netsys.com/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED]
You can reach the person managing the list at [EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..."
Today's Topics:
1. Possible apache2/php 4.3.9 worm (Alex Schultz)
----------------------------------------------------------------------
Message: 1 Date: Tue, 21 Dec 2004 07:32:20 -0800 From: "Alex Schultz" <[EMAIL PROTECTED]> Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm To: <[email protected]> Cc: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii"
Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache. The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML>
<HEAD> <TITLE>This site is defaced!!!</TITLE> </HEAD>
<BODY bgcolor="#000000" text="#FF0000"> <H1>This site is defaced!!!</H1> <HR> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> </BODY>
</HTML>
We were running apache 2.0.52 and php 4.3.9. Have any of you encounted this before? Also is there anything I should be aware of such as a possible binary that may have been dropped? Could this have been accomplised by the upload path traversal vulnerability? Google returns nothing.
Thanks -Alex Schultz
------------------------------
_______________________________________________ Full-Disclosure mailing list [email protected] https://lists.netsys.com/mailman/listinfo/full-disclosure
End of Full-Disclosure Digest, Vol 1, Issue 2120
************************************************
Alex:
Your version of php, according to Hardened PHP was vulnerable to a series of "easy to exploit" vulnerabilitys. Interested to know wether you were in fact running any of the software they mentioned, phpbb/phpads(new)/Invision etc.
Take a look, http://www.hardened-php.net/advisories/012004.txt - that quite well may be the reason.
Best of luck! Justin Mason _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
