Vulnerability Development mailing list archives
Re: Rumours about Apache 1.3.22 exploits
From: nilton.gs.sc () zipmail com br
Date: Tue, 5 Mar 2002 14:51:05 -0300
I had the same problem with a test box that I have on my network. I think the exploit called 73501867 is a trojan. It seems to infect ELF binaries. When turn on the system (slackware 8.0 with kernel 2.4.5) I executed 'netstat -an' and nothing was showed up. But, about 3 minutes later when I executed 'netstat -an' it shows up: Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 0.0.0.0:3049 0.0.0.0:* Do checksum in your files. Regards, Nilton Gomes -- Mensagem original --
Actally I was pasted on a so called exploit this afternoon which claims
to
exploit via post but was only pasted on a binary, how ever please watch out for this I beleave its a working exploit but
it
also seems to open up a udp port on 3049 and some how seems to cloning
the
last proc , when stracing the 3049 all it seems to do is sit there and recv(...) and does nothing when you type anything. binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian. Has any one seen this about before?? Is this a trojan , if not then why
does
it open udp 3049 even after a reboot. i trace the proc opening that port kill it and it seems to clone some how my last proc and then 2mins l8r opens the port again. Any ideas? ----- Original Message ----- From: "Olaf Kirch" <okir () caldera de> To: "H D Moore" <hdm () digitaloffense net> Cc: <fractalg () highspeedweb net>; <vuln-dev () securityfocus com> Sent: Wednesday, February 27, 2002 3:07 AM Subject: Re: Rumours about Apache 1.3.22 exploitsThere is a bug in the php_split_mime function in PHP 3.x and 4.x. Thereis aworking exploit floating around which provides a remote bindshell forPHPversions 4.0.1 to 4.0.6 with a handful of default offsets for different platforms.Blechch. This code is really icky. There's really an sprintf down there in the code that looks bad (apart from a few other things that look bad). But if I don't misread the patch, the sprintf is still there in 4.1.1.Since the PHP developers commited another change to the affected source file (rfc1687.c) about two days ago, speculation is that thereis yetanother remote exploit.Not in the public CVS (has been removed?) Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we
play
okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
------------------------------------------ Use o melhor sistema de busca da Internet Radar UOL - http://www.radaruol.com.br
Current thread:
- Re: Rumours about Apache 1.3.22 exploits VeNoMouS (Mar 04)
- Re: Rumours about Apache 1.3.22 exploits KF (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits VeNoMouS (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits Blue Boar (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits KF (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits Erik Tayler (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits Charles 'core' Stevenson (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits nilton . gs . sc (Mar 05)
- Re: Rumours about Apache 1.3.22 exploits adamb (Mar 06)
- Re: Rumours about Apache 1.3.22 exploits Richard Hamnett (Mar 06)
- Re: Rumours about Apache 1.3.22 exploits Vanja Hrustic (Mar 06)
- Re: Rumours about Apache 1.3.22 exploits -> analysis of so-called exploit client adamb (Mar 06)
- Re: Rumours about Apache 1.3.22 exploits -> analysis of so-called exploit client Sean Davis (Mar 06)
- Re: Rumours about Apache 1.3.22 exploits -> analysis of so-called exploit client Manuel Bouyer (Mar 08)
- Re: Rumours about Apache 1.3.22 exploits -> analysis of so-called exploit client Sean Davis (Mar 07)
- Re: Rumours about Apache 1.3.22 exploits -> analysis of so-called exploit client Manuel Bouyer (Mar 08)
- Re: Rumours about Apache 1.3.22 exploits adamb (Mar 06)
- <Possible follow-ups>
- RE: Rumours about Apache 1.3.22 exploits Knud Erik Hojgaard (Mar 07)
- RE: Rumours about Apache 1.3.22 exploits Benjamin Morin (Mar 07)