[Dshield] PHP injection attacks

tfischer@oldenburggroup.com tfischer at oldenburggroup.com
Thu Dec 22 20:55:10 GMT 2005

   Thanks for all you comments. My concern was that since I don't know what
is running inside my appliance, it's difficult to determine if I'm
vulnerable. I had just turned on an http connection and shortly thereafter
started seeing this traffic only to that box. Ethereal shows the connection
being made to my box, but I see no replies so I guess I'm okay. Thanks,

-----Original Message-----
From: Frank Knobbe [mailto:frank at knobbe.us] 
Sent: Thursday, December 22, 2005 7:35 AM
To: General DShield Discussion List
Subject: Re: [Dshield] PHP injection attacks

On Wed, 2005-12-21 at 21:25 -0600, tfischer at oldenburggroup.com wrote:
>    I have started to see exploit attempts against my VPN. I believe I 
> have identified them as:
>  FrSIRT advisory 12/15/05 - ADV-2005-2932  CVE-2005-4317 CVE-2005-4318
> CVE-2005-4319 CVE-2005-4320 [...] They come in sets of 5 or 6.
> There was one set Monday night, 6 yesterday and 50 so far today. Does 
> anyone know if this pattern has been automated and I'm just seeing 
> some bots out there searching? Anyone else seeing this?

I bet everyone with an IDS or that reviews web server logs sees this. We
usually got just over a thousand of these a day, but for a week now, the
volume has almost tripled. So, yeah, it's automated. I consider it part of
normal background noise.

Stephane Grobety just posted an analysis of this nastyware. As long as you
don't run any of the vulnerable PHP based software, your only worry is that
of web server or IDS log bloat :)

It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing against
your ports.

More information about the list mailing list