Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[Full-Disclosure] Objet :Full-disclosure Digest, Vol 1, Issue 2120 (De retour le mardi 28 décembre.)

From: "Christophe Savin" <christophe.savin () tdf fr>
Date: Wed, 22 Dec 2004 18:50:09 +0100
 En mon absence,  toute demande concernant les réseaux doit être envoyée au mail : ars_reseaux () tdf fr ou 
(ars_transpac pour tout incident lié à ce réseau)

En cas d'urgence, Vous pouvez contacter :
  La Hot-line Réseaux : 01 49 15 32 53  
  François LEVEQUE au 01 49 15 30 56
  Pascal PAINPARAY au 01 49 15 31 36.
 
  Bonnes fêtes de fin d'année.
  Christophe SAVIN



full-disclosure 12/21/04 18:00 >>>


Send Full-Disclosure mailing list submissions to
        full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists netsys com

You can reach the person managing the list at
        full-disclosure-owner () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Possible apache2/php 4.3.9 worm (Alex Schultz)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Dec 2004 07:32:20 -0800
From: "Alex Schultz" <aschultz () echo-inc com>
Subject: [Full-disclosure] Possible apache2/php 4.3.9 worm
To: <full-disclosure () lists netsys com>
Cc: gentoo-security () lists gentoo org
Message-ID:
        <685F5668BEFF12479A66F1204BF59BF1803DB8 () exchange prv echo-inc com>
Content-Type: text/plain;       charset="us-ascii"

Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.  The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
 <HTML>
 <HEAD> 
 <TITLE>This site is defaced!!!</TITLE> 
 </HEAD>
<BODY bgcolor="#000000" text="#FF0000"> 
<H1>This site is defaced!!!</H1> 
<HR> 
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?  Also is there anything I should be aware of such as a
possible binary that may have been dropped?  Could this have been
accomplised by the upload path traversal vulnerability?  Google returns
nothing.


Thanks
-Alex Schultz




------------------------------

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure () lists netsys com
https://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest, Vol 1, Issue 2120
************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: