Full Disclosure mailing list archives
[Full-Disclosure] Re: Full-disclosure Digest, Vol 1, Issue 2120
From: Justin Mason <justin.mason () urbanhunting com>
Date: Tue, 21 Dec 2004 10:05:11 -0800
full-disclosure-request () lists netsys com wrote:
Send Full-Disclosure mailing list submissions to full-disclosure () lists netsys com To subscribe or unsubscribe via the World Wide Web, visit https://lists.netsys.com/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists netsys com You can reach the person managing the list at full-disclosure-owner () lists netsys com When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Today's Topics: 1. Possible apache2/php 4.3.9 worm (Alex Schultz) ---------------------------------------------------------------------- Message: 1 Date: Tue, 21 Dec 2004 07:32:20 -0800 From: "Alex Schultz" <aschultz () echo-inc com> Subject: [Full-disclosure] Possible apache2/php 4.3.9 worm To: <full-disclosure () lists netsys com> Cc: gentoo-security () lists gentoo org Message-ID: <685F5668BEFF12479A66F1204BF59BF1803DB8 () exchange prv echo-inc com> Content-Type: text/plain; charset="us-ascii" Some of the sites I administer were alledgedly hit by a worm last night. It overwrote all .php/.html files that were owner writable and owned by apache. The worm put the following html in place of what was there:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML> <HEAD> <TITLE>This site is defaced!!!</TITLE> </HEAD> <BODY bgcolor="#000000" text="#FF0000"> <H1>This site is defaced!!!</H1> <HR> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> </BODY></HTML> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted this before? Also is there anything I should be aware of such as a possible binary that may have been dropped? Could this have been accomplised by the upload path traversal vulnerability? Google returns nothing. Thanks -Alex Schultz ------------------------------ _______________________________________________ Full-Disclosure mailing list Full-Disclosure () lists netsys com https://lists.netsys.com/mailman/listinfo/full-disclosure End of Full-Disclosure Digest, Vol 1, Issue 2120 ************************************************
Alex:Your version of php, according to Hardened PHP was vulnerable to a series of "easy to exploit" vulnerabilitys. Interested to know wether you were in fact running any of the software they mentioned, phpbb/phpads(new)/Invision etc.
Take a look, http://www.hardened-php.net/advisories/012004.txt - that quite well may be the reason.
Best of luck! Justin Mason _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Re: Full-disclosure Digest, Vol 1, Issue 2120 Justin Mason (Dec 22)