Re: Sanity worm defaces websites using php bug

2004-12-22 Thread Gadi Evron
Fergie (Paul Ferguson) wrote: These people don't waste much time when a new exploit found, do they? Geez. http://isc.sans.org/diary.php?date=2004-12-21 As a friend of mine just said.. good times! http://www.google.com/search?q=NeverEverNoSanity Gadi.

Re: Sanity worm defaces websites using php bug

2004-12-21 Thread Gadi Evron
Dan Hollis wrote: On Tue, 21 Dec 2004, Fergie (Paul Ferguson) wrote: These people don't waste much time when a new exploit found, do they? Geez. http://isc.sans.org/diary.php?date=2004-12-21 Its exploiting a bug in old versions of phpbb, it's not using the recent php exploit. -Dan It isn't very

Re: Sanity worm defaces websites using php bug

2004-12-21 Thread Paul G
- Original Message - From: "cw" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 21, 2004 3:47 PM Subject: Re: Sanity worm defaces websites using php bug > Gonna be a nightmare for server ops to ensure that all client copies > of phpBB ar

Re: Sanity worm defaces websites using php bug

2004-12-21 Thread Gadi Evron
cw wrote: Does anyone have any more detail on exactly what this thing does after it gets into a system? Check *any* AV web site. The cgi platform for a company I use has been hit and the effect is not just limited to phpBB, it seems to get into the server and then go through everything it can wr

Re: Sanity worm defaces websites using php bug

2004-12-21 Thread Dave Dennis
The one instance of this I observed did the following: 1) got permissions of apache daemon by way of the viewtopic.php script 2) ran the server's wget to download http://www.packetstormsecurity.nl/DoS/udp.pl 3) pulled udp.pl down into /tmp, and ran, not sure how it got its list of ip. The quic

Re: Sanity worm defaces websites using php bug

2004-12-21 Thread sgorman1
there is this from f-secure with some detail of after effects. http://www.f-secure.com/v-descs/santy_a.shtml - Original Message - From: cw <[EMAIL PROTECTED]> Date: Tuesday, December 21, 2004 3:47 pm Subject: Re: Sanity worm defaces websites using php bug > > Does any

Re: Sanity worm defaces websites using php bug

2004-12-21 Thread cw
Does anyone have any more detail on exactly what this thing does after it gets into a system? The cgi platform for a company I use has been hit and the effect is not just limited to phpBB, it seems to get into the server and then go through everything it can write to.. I lost a copy of UBB to th

Re: Sanity worm defaces websites using php bug

2004-12-21 Thread Dan Hollis
On Tue, 21 Dec 2004, Fergie (Paul Ferguson) wrote: > These people don't waste much time when a new exploit > found, do they? Geez. > http://isc.sans.org/diary.php?date=2004-12-21 Its exploiting a bug in old versions of phpbb, it's not using the recent php exploit. -Dan

Re: Sanity worm defaces websites using php bug

2004-12-21 Thread sgorman1
Produces something along the lines of this: http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2 - Original Message - From: "Fergie (Paul Ferguson)" <[EMAIL PROTECTED]> Date: Tuesday, December 21, 2004 1:11 pm Subject: Sanity worm defaces we

Sanity worm defaces websites using php bug

2004-12-21 Thread Fergie (Paul Ferguson)
These people don't waste much time when a new exploit found, do they? Geez. http://isc.sans.org/diary.php?date=2004-12-21 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]