Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible apache2/php 4.3.9 worm

From: Juan Carlos Navea <loconet () gmail com>
Date: Tue, 21 Dec 2004 13:21:38 -0500
There is some information regarding this here: 

http://www.pcpro.co.uk/news/67505/santya-sparks-messageboard-infection-epidemic.html


On Tue, 21 Dec 2004 07:32:20 -0800, Alex Schultz <aschultz () echo-inc com> wrote:

Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.  The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <HTML>
 <HEAD>
 <TITLE>This site is defaced!!!</TITLE>
 </HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?  Also is there anything I should be aware of such as a
possible binary that may have been dropped?  Could this have been
accomplised by the upload path traversal vulnerability?  Google returns
nothing.

Thanks
-Alex Schultz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




-- 
http://www.loconet.ca
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: