[Full-Disclosure] =?iso-8859-1?q?Objet_=3AFull-Disclosure_Digest?= =?iso-8859-1?q?=2C_Vol_1=2C_Issue_2120_=28De_retour_le_mardi_28_d=E9cembr?= =?iso-8859-1?q?e=2E=29?=

Wed, 22 Dec 2004 12:31:58 -0800 

 En mon absence,  toute demande concernant les r�seaux doit �tre envoy�e au 
mail : [EMAIL PROTECTED] ou (ars_transpac pour tout incident li� � ce r�seau)

En cas d'urgence, Vous pouvez contacter :
  La Hot-line R�seaux : 01 49 15 32 53  
  Fran�ois LEVEQUE au 01 49 15 30 56
  Pascal PAINPARAY au 01 49 15 31 36.
 
  Bonnes f�tes de fin d'ann�e.
  Christophe SAVIN


>>> full-disclosure 12/21/04 18:00 >>>

Send Full-Disclosure mailing list submissions to
        [email protected]

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        [EMAIL PROTECTED]

You can reach the person managing the list at
        [EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Possible apache2/php 4.3.9 worm (Alex Schultz)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Dec 2004 07:32:20 -0800
From: "Alex Schultz" <[EMAIL PROTECTED]>
Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm
To: <[email protected]>
Cc: [EMAIL PROTECTED]
Message-ID:
        <[EMAIL PROTECTED]>
Content-Type: text/plain;       charset="us-ascii"

Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.  The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
 <HTML>
 <HEAD> 
 <TITLE>This site is defaced!!!</TITLE> 
 </HEAD>
<BODY bgcolor="#000000" text="#FF0000"> 
<H1>This site is defaced!!!</H1> 
<HR> 
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?  Also is there anything I should be aware of such as a
possible binary that may have been dropped?  Could this have been
accomplised by the upload path traversal vulnerability?  Google returns
nothing.


Thanks
-Alex Schultz




------------------------------

_______________________________________________
Full-Disclosure mailing list
[email protected]
https://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest, Vol 1, Issue 2120
************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to