Full Disclosure mailing list archives

Re: Possible apache2/php 4.3.9 worm

From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 21 Dec 2004 11:27:54 -0600

--On Tuesday, December 21, 2004 07:32:20 AM -0800 Alex Schultz<aschultz () echo-inc com> wrote:

Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?

php 4.3.9 has several serious security flaws in it. (See here for moreinfo - <http://www.php.net/release_4_3_10.php>). You should have upgradeit ASAP. That's most likely how the script altered the files.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Possible apache2/php 4.3.9 worm Alex Schultz (Dec 21)
- Re: Possible apache2/php 4.3.9 worm Pamela Patterson (Dec 21)
- Re: Possible apache2/php 4.3.9 worm Paul Schmehl (Dec 21)
- Re: Possible apache2/php 4.3.9 worm Ron Brogden (Dec 21)
  - Re: Possible apache2/php 4.3.9 worm Brendan Dolan-Gavitt (Dec 21)
  - Re: Possible apache2/php 4.3.9 worm DanB UK (Dec 22)
    - Re: Possible apache2/php 4.3.9 worm Barrie Dempster (Dec 22)
    - Re: Possible apache2/php 4.3.9 worm dk (Dec 22)
    - Re: Possible apache2/php 4.3.9 worm DanB UK (Dec 23)
    - Re: Possible apache2/php 4.3.9 worm dk (Dec 27)
- Re: Possible apache2/php 4.3.9 worm Juan Carlos Navea (Dec 21)
  - Re: Possible apache2/php 4.3.9 worm milw0rm Inc. (Dec 22)
- <Possible follow-ups>
- Re: Possible apache2/php 4.3.9 worm Feher Tamas (Dec 21)

(Thread continues...)