[Full-Disclosure] Re: Full-disclosure Digest, Vol 1, Issue 2120

[Justin Mason <justin.mason () urbanhunting com>]

full-disclosure-request () lists netsys com wrote:

> Send Full-Disclosure mailing list submissions to
>         full-disclosure () lists netsys com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.netsys.com/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
>         full-disclosure-request () lists netsys com
>
> You can reach the person managing the list at
>         full-disclosure-owner () lists netsys com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
>
>
> Today's Topics:
>
>   1. Possible apache2/php 4.3.9 worm (Alex Schultz)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 21 Dec 2004 07:32:20 -0800
> From: "Alex Schultz" <aschultz () echo-inc com>
> Subject: [Full-disclosure] Possible apache2/php 4.3.9 worm
> To: <full-disclosure () lists netsys com>
> Cc: gentoo-security () lists gentoo org
> Message-ID:
>         <685F5668BEFF12479A66F1204BF59BF1803DB8 () exchange prv echo-inc com>
> Content-Type: text/plain;       charset="us-ascii"
>
> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache.  The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
> <HTML>
> <HEAD> 
> <TITLE>This site is defaced!!!</TITLE> 
> </HEAD>
> <BODY bgcolor="#000000" text="#FF0000"> 
> <H1>This site is defaced!!!</H1> 
> <HR> 
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before?  Also is there anything I should be aware of such as a
> possible binary that may have been dropped?  Could this have been
> accomplised by the upload path traversal vulnerability?  Google returns
> nothing.
>
>
> Thanks
> -Alex Schultz
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure mailing list
> Full-Disclosure () lists netsys com
> https://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
> End of Full-Disclosure Digest, Vol 1, Issue 2120
> ************************************************
>  
Alex:

Your version of php, according to Hardened PHP was vulnerable to a 
series of "easy to exploit" vulnerabilitys. Interested to know wether 
you were in fact running any of the software they mentioned, 
phpbb/phpads(new)/Invision etc.

Take a look, http://www.hardened-php.net/advisories/012004.txt - that 
quite well may be the reason.

Best of luck!
Justin Mason
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html