| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <s1c9c1f9.022@gw-tdf1s.tdf.fr> From: christophe.savin at tdf.fr (Christophe Savin) Subject: Objet :Full-Disclosure Digest, Vol 1, Issue 2120 (De retour le mardi 28 décembre.) En mon absence, toute demande concernant les r?seaux doit ?tre envoy?e au mail : ars_reseaux@....fr ou (ars_transpac pour tout incident li? ? ce r?seau) En cas d'urgence, Vous pouvez contacter : La Hot-line R?seaux : 01 49 15 32 53 Fran?ois LEVEQUE au 01 49 15 30 56 Pascal PAINPARAY au 01 49 15 31 36. Bonnes f?tes de fin d'ann?e. Christophe SAVIN >>> full-disclosure 12/21/04 18:00 >>> Send Full-Disclosure mailing list submissions to full-disclosure@...ts.netsys.com To subscribe or unsubscribe via the World Wide Web, visit https://lists.netsys.com/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request@...ts.netsys.com You can reach the person managing the list at full-disclosure-owner@...ts.netsys.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Today's Topics: 1. Possible apache2/php 4.3.9 worm (Alex Schultz) ---------------------------------------------------------------------- Message: 1 Date: Tue, 21 Dec 2004 07:32:20 -0800 From: "Alex Schultz" <aschultz@...o-inc.com> Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm To: <full-disclosure@...ts.netsys.com> Cc: gentoo-security@...ts.gentoo.org Message-ID: <685F5668BEFF12479A66F1204BF59BF1803DB8@...hange.prv.echo-inc.com> Content-Type: text/plain; charset="us-ascii" Some of the sites I administer were alledgedly hit by a worm last night. It overwrote all .php/.html files that were owner writable and owned by apache. The worm put the following html in place of what was there: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML> <HEAD> <TITLE>This site is defaced!!!</TITLE> </HEAD> <BODY bgcolor="#000000" text="#FF0000"> <H1>This site is defaced!!!</H1> <HR> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> </BODY> </HTML> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted this before? Also is there anything I should be aware of such as a possible binary that may have been dropped? Could this have been accomplised by the upload path traversal vulnerability? Google returns nothing. Thanks -Alex Schultz ------------------------------ _______________________________________________ Full-Disclosure mailing list Full-Disclosure@...ts.netsys.com https://lists.netsys.com/mailman/listinfo/full-disclosure End of Full-Disclosure Digest, Vol 1, Issue 2120 ************************************************
Powered by blists - more mailing lists