lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <685F5668BEFF12479A66F1204BF59BF1803DB8@exchange.prv.echo-inc.com>
From: aschultz at echo-inc.com (Alex Schultz)
Subject: Possible apache2/php 4.3.9 worm

Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.  The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
 <HTML>
 <HEAD> 
 <TITLE>This site is defaced!!!</TITLE> 
 </HEAD>
<BODY bgcolor="#000000" text="#FF0000"> 
<H1>This site is defaced!!!</H1> 
<HR> 
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?  Also is there anything I should be aware of such as a
possible binary that may have been dropped?  Could this have been
accomplised by the upload path traversal vulnerability?  Google returns
nothing.


Thanks
-Alex Schultz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ