lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41C865D7.7040802@urbanhunting.com>
From: justin.mason at urbanhunting.com (Justin Mason)
Subject: Re: Full-Disclosure Digest, Vol 1, Issue 2120

full-disclosure-request@...ts.netsys.com wrote:

>Send Full-Disclosure mailing list submissions to
>	full-disclosure@...ts.netsys.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.netsys.com/mailman/listinfo/full-disclosure
>or, via email, send a message with subject or body 'help' to
>	full-disclosure-request@...ts.netsys.com
>
>You can reach the person managing the list at
>	full-disclosure-owner@...ts.netsys.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Full-Disclosure digest..."
>
>
>Today's Topics:
>
>   1. Possible apache2/php 4.3.9 worm (Alex Schultz)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Tue, 21 Dec 2004 07:32:20 -0800
>From: "Alex Schultz" <aschultz@...o-inc.com>
>Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm
>To: <full-disclosure@...ts.netsys.com>
>Cc: gentoo-security@...ts.gentoo.org
>Message-ID:
>	<685F5668BEFF12479A66F1204BF59BF1803DB8@...hange.prv.echo-inc.com>
>Content-Type: text/plain;	charset="us-ascii"
>
>Some of the sites I administer were alledgedly hit by a worm last night.
>It overwrote all .php/.html files that were owner writable and owned by
>apache.  The worm put the following html in place of what was there:
><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
> <HTML>
> <HEAD> 
> <TITLE>This site is defaced!!!</TITLE> 
> </HEAD>
><BODY bgcolor="#000000" text="#FF0000"> 
><H1>This site is defaced!!!</H1> 
><HR> 
><ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 
></BODY>
></HTML>
>
>We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
>this before?  Also is there anything I should be aware of such as a
>possible binary that may have been dropped?  Could this have been
>accomplised by the upload path traversal vulnerability?  Google returns
>nothing.
>
>
>Thanks
>-Alex Schultz
>
>
>
>
>------------------------------
>
>_______________________________________________
>Full-Disclosure mailing list
>Full-Disclosure@...ts.netsys.com
>https://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
>End of Full-Disclosure Digest, Vol 1, Issue 2120
>************************************************
>  
>
Alex:

Your version of php, according to Hardened PHP was vulnerable to a 
series of "easy to exploit" vulnerabilitys. Interested to know wether 
you were in fact running any of the software they mentioned, 
phpbb/phpads(new)/Invision etc.

Take a look, http://www.hardened-php.net/advisories/012004.txt - that 
quite well may be the reason.

Best of luck!
Justin Mason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ