[Dshield] Someone is scanning for PHP XML RPC vulnerability
dshield at oitc.com
Tue Oct 11 13:09:53 GMT 2005
At 9:31 AM +0200 10/11/05, Stephane Grobety wrote:
>Apparently, someone is actively scanning for the PHP XMLRPC flaw. All
>my web servers and three completely separate networks have been probed.
>All the probes came from the same source IP: 188.8.131.52.
>The following locations are probed:
>Unfortunately, I don't quite understand the command it gives to the
>script, I think it's trying to connect back to 184.108.40.206 on 8080
>and the presence of chmod, in seems to indicates that it targets unix
>The relevant parameter is:
>Does someone understand this script ?
Exploit was documented back in the summer and if users patched they
should be OK. As stated in
http://forum.hardened-php.net/viewtopic.php?id=9 its a exec()
exploit, What the above looks like is a piece of broken? code. The
".60.255.44/cback" would appear to be broken. it probably was
curl/get from some IP the code/script called cback which is made
executable and executed with parameters of 220.127.116.11 8080. cback
appears to be the remote access trojan, BackDoor-CTM
More information about the list