There were several serious holes just released in 4.3.9 of PHP. That is a possible attack vector from what you are saying. Get 4.3.10 of PHP for sure. As far as what this does or what all it would do, someone needs to get a good catch of it.
Anyone ready to setup a box? =) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Alex Schultz > Sent: Tuesday, December 21, 2004 9:32 AM > To: [email protected] > Cc: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm > > Some of the sites I administer were alledgedly hit by a worm > last night. > It overwrote all .php/.html files that were owner writable > and owned by apache. The worm put the following html in > place of what was there: > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML> > <HEAD> <TITLE>This site is defaced!!!</TITLE> </HEAD> <BODY > bgcolor="#000000" text="#FF0000"> <H1>This site is > defaced!!!</H1> <HR> <ADDRESS><b>NeverEverNoSanity WebWorm > generation 17.</b></ADDRESS> </BODY> </HTML> > > We were running apache 2.0.52 and php 4.3.9. Have any of you > encounted this before? Also is there anything I should be > aware of such as a possible binary that may have been > dropped? Could this have been accomplised by the upload path > traversal vulnerability? Google returns nothing. > > > Thanks > -Alex Schultz > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
