Re: PHP exploit (Was Re: Wave of Nimda-like hits this morning?)
From: Chris Adams (chris@improbable.org)Date: 02/27/02
- Previous message: Scott A. Barbour: "RE: Wave of Nimda-like hits this morning?"
- Maybe in reply to: Chris Adams: "PHP exploit (Was Re: Wave of Nimda-like hits this morning?)"
- Next in thread: Brian Mooney: "RE: Wave of Nimda-like hits this morning?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Feb 2002 13:14:08 -0800 To: Tina Bird <tbird@precision-guesswork.com> From: Chris Adams <chris@improbable.org>
On Wednesday, February 27, 2002, at 10:32 , Tina Bird wrote:
> Presumably these are based on the info in the
> exploit, and not on actual successful compromises?
That's my guess - I'm not sure as I haven't verified this myself due to
time constraints. There's a little discussion about a form upload
vulnerability and a single hit for "exploit" at bugs.php.net. From what
I found in the PHP newsgroups, it looks like setting file_uploads=0 in
your php.ini file blocks this.
Chris
> On Tue, 26 Feb 2002, Chris Adams wrote:
>
>> On Tuesday, February 26, 2002, at 12:28 , Jay D. Dyson wrote:
>>>> Whatever this (maybe) new bug is, it's blowing up these boxes left
>>>> and
>>>> right...can't figure it out. They're all relatively new 1.3'ish
>>>> versions I think.
>>>
>>> I've heard rumblings of an Apache/PHP exploit making the rounds.
>>> Any of these machines using PHP by chance?
>>
>> This just hit the snort-sigs list this afternoon:
>>
>> From: Brian <bmc@snort.org>
>> Date: Tue Feb 26, 2002 04:02:22 US/Pacific
>> Subject: [Snort-sigs] php overflow signatures
>>
>> Below are the initial signatures for the PHP overflow that is about to
>> get a bunch of publication. Have fun and whatnot.
>>
>> Sourceforge's CVS server is broken, so these are not yet in CVS.
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
>> content-disposition memchr overlfow"; flags:A+;
>> content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|";
>> classtype:web-application-attack; sid:1423; rev:1;)
>>
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL
>> SHELLCODE
>> x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB
>> 0C|"; classtype:shellcode-detect; sid:1424; rev:1;)
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
>> content-disposition"; flags:A+; content:"Content-Disposition\:";
>> content:"form-data\;"; classtype:web-application-attack; sid:1425;
>> rev:1;)
>>
>>
>> ----------------------------------------------------------------------------
>> This list is provided by the SecurityFocus ARIS analyzer service.
>> For more information on this free incident handling, management
>> and tracking system please see: http://aris.securityfocus.com
>>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Scott A. Barbour: "RE: Wave of Nimda-like hits this morning?"
- Maybe in reply to: Chris Adams: "PHP exploit (Was Re: Wave of Nimda-like hits this morning?)"
- Next in thread: Brian Mooney: "RE: Wave of Nimda-like hits this morning?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
