Re: [Phpgedview-talk] attack attempt
Brought to you by:
canajun2eh,
yalnifj
Menu
▾
▴
Re: [Phpgedview-talk] attack attempt
|
From: Keith C. <ke...@dr...> - 2005-12-26 04:18:55
|
S.C. Gehl wrote: > Never-the-less, they are attacking everyone on the phpgedview list. > the list should be revised. It needs to have contact info not url info. Not to say your wrong, but these attacks are more closely related to an XML-RPC for PHP vulnerability attack. I'm not sure at the moment of PhpGedView uses XML-RPC directly, but many of the servers that host PhpGedView sites do have it enabled. Many of these servers are shared servers with hundreds to thousands of web sites being hosted from each one. The majority of these attacks seem to be coming from a variant of the Lupper worm. Please see: http://vil.nai.com/vil/content/v_136821.htm [quote] The Lupper worm variants spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. At least one variant has been identified as a modified derivative of the Linux/Slapper <http://vil.nai.com/vil/content/v_99693.htm> and BSD/Scalper <http://vil.nai.com/vil/content/v_99539.htm> worms from which it inherits the propagation strategy. The worm blindly attacks web servers by sending malicious HTTP requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed. [/quote] Most viruses are easily altered to attack specific sites. The Lupper work in general tries to find sites who use content management systems like, PHP-Nuke, Post-Nuke, Mambo, xoops, wordpress, etc. I probably wouldn't be too far off to say someone has altered this to look for unpatched PhpGedView sites. As Tastiger said, "it's because it's there and it can be done. To them it's a game and to see who can hack the most sites". Your best line of defense here is to upgrade/update your PhpGedView site with the patch provided by John, or upgrade to PhpGedView 4.0b3 which has this patch already applied. If you host your own server, you'll want to make sure you have XML-RPC for PHP updated to the latest version (http://sourceforge.net/project/showfiles.php?group_id=34455) If you host through a hosting provider, contact your help desk and ask them to make sure this vulnerability has been addressed, since they are responsible for the day to day maintenance of your servers. Eventually this will die down, and things will become normal again until the next vulnerability is found. Welcome to the world of web hosting. It's a cat and mouse game that you can't let your guard down for a moment. For farther reading, please take a look here, and follow the other links as well. http://isc.sans.org/diary.php?storyid=823 |
