| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: justin.mason at urbanhunting.com (Justin Mason) Subject: Re: Full-Disclosure Digest, Vol 1, Issue 2120 full-disclosure-request@...ts.netsys.com wrote: >Send Full-Disclosure mailing list submissions to > full-disclosure@...ts.netsys.com > >To subscribe or unsubscribe via the World Wide Web, visit > https://lists.netsys.com/mailman/listinfo/full-disclosure >or, via email, send a message with subject or body 'help' to > full-disclosure-request@...ts.netsys.com > >You can reach the person managing the list at > full-disclosure-owner@...ts.netsys.com > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Full-Disclosure digest..." > > >Today's Topics: > > 1. Possible apache2/php 4.3.9 worm (Alex Schultz) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Tue, 21 Dec 2004 07:32:20 -0800 >From: "Alex Schultz" <aschultz@...o-inc.com> >Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm >To: <full-disclosure@...ts.netsys.com> >Cc: gentoo-security@...ts.gentoo.org >Message-ID: > <685F5668BEFF12479A66F1204BF59BF1803DB8@...hange.prv.echo-inc.com> >Content-Type: text/plain; charset="us-ascii" > >Some of the sites I administer were alledgedly hit by a worm last night. >It overwrote all .php/.html files that were owner writable and owned by >apache. The worm put the following html in place of what was there: ><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <HTML> > <HEAD> > <TITLE>This site is defaced!!!</TITLE> > </HEAD> ><BODY bgcolor="#000000" text="#FF0000"> ><H1>This site is defaced!!!</H1> ><HR> ><ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> ></BODY> ></HTML> > >We were running apache 2.0.52 and php 4.3.9. Have any of you encounted >this before? Also is there anything I should be aware of such as a >possible binary that may have been dropped? Could this have been >accomplised by the upload path traversal vulnerability? Google returns >nothing. > > >Thanks >-Alex Schultz > > > > >------------------------------ > >_______________________________________________ >Full-Disclosure mailing list >Full-Disclosure@...ts.netsys.com >https://lists.netsys.com/mailman/listinfo/full-disclosure > > >End of Full-Disclosure Digest, Vol 1, Issue 2120 >************************************************ > > Alex: Your version of php, according to Hardened PHP was vulnerable to a series of "easy to exploit" vulnerabilitys. Interested to know wether you were in fact running any of the software they mentioned, phpbb/phpads(new)/Invision etc. Take a look, http://www.hardened-php.net/advisories/012004.txt - that quite well may be the reason. Best of luck! Justin Mason
Powered by blists - more mailing lists