Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP exploit (Was Re: Wave of Nimda-like hits this morning?)

From: Chris Adams <chris () improbable org>
Date: Wed, 27 Feb 2002 13:14:08 -0800
On Wednesday, February 27, 2002, at 10:32 , Tina Bird wrote:

Presumably these are based on the info in the
exploit, and  not on actual successful compromises?
That's my guess - I'm not sure as I haven't verified this myself due to time constraints. There's a little discussion about a form upload vulnerability and a single hit for "exploit" at bugs.php.net. From what I found in the PHP newsgroups, it looks like setting file_uploads=0 in your php.ini file blocks this. 

Chris


On Tue, 26 Feb 2002, Chris Adams wrote:


On Tuesday, February 26, 2002, at 12:28 , Jay D. Dyson wrote:
Whatever this (maybe) new bug is, it's blowing up these boxes left and 
right...can't figure it out.  They're all relatively new 1.3'ish
versions I think.


        I've heard rumblings of an Apache/PHP exploit making the rounds.
Any of these machines using PHP by chance?


This just hit the snort-sigs list this afternoon:

From: Brian <bmc () snort org>
Date: Tue Feb 26, 2002  04:02:22  US/Pacific
Subject: [Snort-sigs] php overflow signatures

Below are the initial signatures for the PHP overflow that is about to
get a bunch of publication.  Have fun and whatnot.

Sourceforge's CVS server is broken, so these are not yet in CVS.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition memchr overlfow"; flags:A+;
content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|";
classtype:web-application-attack; sid:1423; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE 
x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB
0C|"; classtype:shellcode-detect; sid:1424; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition"; flags:A+; content:"Content-Disposition\:";
content:"form-data\;"; classtype:web-application-attack; sid:1425;
rev:1;)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: