Security Incidents mailing list archives
PHP exploit (Was Re: Wave of Nimda-like hits this morning?)
From: Chris Adams <chris () improbable org>
Date: Tue, 26 Feb 2002 17:48:48 -0800
On Tuesday, February 26, 2002, at 12:28 , Jay D. Dyson wrote:
Whatever this (maybe) new bug is, it's blowing up these boxes left and right...can't figure it out. They're all relatively new 1.3'ish versions I think.I've heard rumblings of an Apache/PHP exploit making the rounds. Any of these machines using PHP by chance?
This just hit the snort-sigs list this afternoon: From: Brian <bmc () snort org> Date: Tue Feb 26, 2002 04:02:22 US/Pacific Subject: [Snort-sigs] php overflow signatures Below are the initial signatures for the PHP overflow that is about to get a bunch of publication. Have fun and whatnot. Sourceforge's CVS server is broken, so these are not yet in CVS.alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php content-disposition memchr overlfow"; flags:A+; content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|"; classtype:web-application-attack; sid:1423; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php content-disposition"; flags:A+; content:"Content-Disposition\:"; content:"form-data\;"; classtype:web-application-attack; sid:1425; rev:1;)
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Wave of Nimda-like hits this morning? Ralph Los (Feb 26)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 26)
- PHP exploit (Was Re: Wave of Nimda-like hits this morning?) Chris Adams (Feb 27)
- RE: Wave of Nimda-like hits this morning? Brian Mooney (Feb 26)
- Re: Wave of Nimda-like hits this morning? John Brahy (Feb 26)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 27)
- Re: Wave of Nimda-like hits this morning? Benjamin Morin (Feb 28)
- RE: Wave of Nimda-like hits this morning? Christopher L. Morrow (Feb 27)
- Re: Wave of Nimda-like hits this morning? John Brahy (Feb 26)
- Re: Wave of Nimda-like hits this morning? security (Feb 26)
- Re: Wave of Nimda-like hits this morning? Erick Brockway (Feb 27)
- <Possible follow-ups>
- Wave of Nimda-like hits this morning? Michael Sutton (Feb 26)
- RE: Wave of Nimda-like hits this morning? Ronneil Camara (Feb 26)
- RE: Wave of Nimda-like hits this morning? Greg Williamson (Feb 26)
(Thread continues...)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 26)