[Dshield] PHP injection attacks

Frank Knobbe frank at knobbe.us
Thu Dec 22 13:35:17 GMT 2005

On Wed, 2005-12-21 at 21:25 -0600, tfischer at oldenburggroup.com wrote:
>    I have started to see exploit attempts against my VPN. I believe I have
> identified them as:
>  FrSIRT advisory 12/15/05 - ADV-2005-2932  CVE-2005-4317 CVE-2005-4318
> CVE-2005-4319 CVE-2005-4320 [...] They come in sets of 5 or 6.
> There was one set Monday night, 6 yesterday and 50 so far today. Does anyone
> know if this pattern has been automated and I'm just seeing some bots out
> there searching? Anyone else seeing this?

I bet everyone with an IDS or that reviews web server logs sees this. We
usually got just over a thousand of these a day, but for a week now, the
volume has almost tripled. So, yeah, it's automated. I consider it part
of normal background noise.

Stephane Grobety just posted an analysis of this nastyware. As long as
you don't run any of the vulnerable PHP based software, your only worry
is that of web server or IDS log bloat :)

It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20051222/2e04dcef/attachment.bin

More information about the list mailing list