Re: Someone scanning for new PHP issues?



Jamie,

You are right that the second trap is searching for the horde exploit. The first one you link to is for the remote code execution exploit in the Vwar gaming clan management system, with exploit code published publicly on 02 April 06. For reference, full sample exploit code is here:

http://milw0rm.com/exploits/1632

For web app exploits such as these, it is simpler to get the details out of your web server logs (presuming you are running a web server at the targeted IP, and are keeping logs) as the extracts you provide only confuse the issue for simple attack vectors like these.

On 16/04/2006, at 9:34 AM, Jamie Riden wrote:

......
0x0040: 7677 6172 2f69 6e63 6c75 6465 732f 6765 vwar/ includes/ge
......
0x0040: 7765 626d 6169 6c2f 686f 7264 652f 7365 webmail/ horde/se


Sincerely,

Carl Jongsma
info@xxxxxxxxxxxxxx
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
http://www.skiifwrald.com/sunnet
Tel: 0410 707 444 / 08 8283 1154

Jongsma & Jongsma Pty. Ltd.

Established in mid 2004, Jongsma & Jongsma Pty. Ltd. is a pure Research and Development company focussing on advanced software and hardware concepts. Since inception, Jongsma & Jongsma Pty. Ltd. has already developed software tools for advanced user and security management in web applications, complete data protection, and effective phishing defences for financial companies.

Sûnnet Beskerming Pty. Ltd.

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.