Hi All, this is a message that was Posted to incidents list @ securityfocus.
Roland von Herget recognized some unusual traffic in his Logs. Maybe someone else can check if he can find that too, and if he does post a message (maybe to incidents list too). There could be a worm or something like that out there, using the upload vuln. in PHP <= 4.0.4?! If this is just panic - feel free to correct me =) regards, Peter ----- Original Message ----- From: "Roland von Herget" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 25, 2002 7:05 PM Subject: PHP content-disposition vuln > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > snort picked up the following yesterday evening: > [complete packeted dump attached] > > [GMT+1, yesterday] > 49649| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 php content-disposition > 49648| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 SHELLCODE x86 EB OC > NOOP > 49647| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 SHELLCODE x86 EB OC > NOOP > 49646| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 SHELLCODE x86 EB OC > NOOP > 49645| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 php content-disposition > 49644| [18:39:00] 65.89.43.125:4040 -> a.b.c.4:80 php content-disposition > 49643| [18:39:00] 65.89.43.125:4039 -> a.b.c.4:80 php content-disposition > 49642| [18:38:59] 65.89.43.125:4038 -> a.b.c.4:80 php content-disposition > 49641| [18:38:59] 65.89.43.125:4037 -> a.b.c.4:80 php content-disposition > 49640| [18:38:59] 65.89.43.125:4036 -> a.b.c.4:80 php content-disposition > 49639| [18:38:58] 65.89.43.125:4035 -> a.b.c.4:80 php content-disposition > 49638| [18:38:58] 65.89.43.125:4034 -> a.b.c.4:80 php content-disposition > 49637| [18:38:58] 65.89.43.125:4033 -> a.b.c.4:80 php content-disposition > 49636| [18:38:58] 65.89.43.125:4032 -> a.b.c.4:80 php content-disposition > 49635| [18:38:57] 65.89.43.125:4031 -> a.b.c.4:80 php content-disposition > 49634| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 php > content-disposition > 49633| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 SHELLCODE x86 EB OC > NOOP > 49632| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 SHELLCODE x86 EB OC > NOOP > 49631| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 SHELLCODE x86 EB OC > NOOP > 49630| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 php > content-disposition > 49629| [18:38:55] 65.89.43.125:4013 -> a.b.c.34:80 php > content-disposition > 49628| [18:38:54] 65.89.43.125:4012 -> a.b.c.34:80 php > content-disposition > 49627| [18:38:54] 65.89.43.125:4011 -> a.b.c.34:80 php > content-disposition > 49626| [18:38:54] 65.89.43.125:4010 -> a.b.c.34:80 php > content-disposition > 49625| [18:38:54] 65.89.43.125:4009 -> a.b.c.34:80 php > content-disposition > 49624| [18:38:53] 65.89.43.125:4008 -> a.b.c.34:80 php > content-disposition > 49623| [18:38:53] 65.89.43.125:4007 -> a.b.c.34:80 php > content-disposition > 49622| [18:38:53] 65.89.43.125:4006 -> a.b.c.34:80 php > content-disposition > 49621| [18:38:53] 65.89.43.125:4004 -> a.b.c.34:80 php > content-disposition > 49620| [18:38:52] 65.89.43.125:4003 -> a.b.c.34:80 php > content-disposition > 49619| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 php > content-disposition > 49618| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 SHELLCODE x86 EB OC > NOOP > 49617| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 SHELLCODE x86 EB OC > NOOP > 49616| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 SHELLCODE x86 EB OC > NOOP > 49615| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 php > content-disposition > 49614| [18:38:50] 65.89.43.125:3975 -> a.b.c.33:80 php > content-disposition > 49613| [18:38:49] 65.89.43.125:3974 -> a.b.c.33:80 php > content-disposition > 49612| [18:38:49] 65.89.43.125:3973 -> a.b.c.33:80 php > content-disposition > 49611| [18:38:49] 65.89.43.125:3972 -> a.b.c.33:80 php > content-disposition > 49610| [18:38:48] 65.89.43.125:3971 -> a.b.c.33:80 php > content-disposition > 49609| [18:38:48] 65.89.43.125:3970 -> a.b.c.33:80 php > content-disposition > 49608| [18:38:48] 65.89.43.125:3969 -> a.b.c.33:80 php > content-disposition > 49607| [18:38:48] 65.89.43.125:3965 -> a.b.c.33:80 php > content-disposition > 49606| [18:38:47] 65.89.43.125:3961 -> a.b.c.33:80 php > content-disposition > 49605| [18:38:47] 65.89.43.125:3957 -> a.b.c.33:80 php > content-disposition > > here he stopped, there are a few web servers left in our /24, so i put up > tcpdump maybe i'll get a few complete traces... > The client machine tells me the following: > > > telnet 65.89.43.125 80 > Trying 65.89.43.125... > Connected to 65.89.43.125. > Escape character is '^]'. > HEAD / HTTP/1.0 > > HTTP/1.1 200 OK > Date: Wed, 19 Jun 2002 19:34:10 GMT > Server: Apache/1.3.14 (Unix) PHP/4.0.4pl1 > Connection: close > Content-Type: text/html > > so it seems vulnerable... > > i've never seen this in the wild until right now... has anyone seen large > (or any) activity regarding the php file upload bug ? > Or am i only overly nervous because of the recent apache / openssh > problems ? > > > Greetings, > > Roland > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: Weitere Infos: siehe http://www.gnupg.org > > iD8DBQE9GKLqTyqg9LmJhHMRAhX9AKDUjaqeroZ+GPy0FRC0TUrb4q+9aACfR/r+ > g+hfktzcIV9aLGGnbBp0wcU= > =ti8P > -----END PGP SIGNATURE----- > > -------------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com
acid-report.gz
Description: application/compressed
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
