[Dshield] Someone is scanning for PHP XML RPC vulnerability

Stephane Grobety security at admin.fulgan.com
Tue Oct 11 14:31:29 GMT 2005


Hello Tom,

Thanks for the answer.  CBack.exe seems to be a windows executable. If
that's correct, why try chmod'ing it ? It simply won't work on a
windows machine as it doesn't handle execution rights the same way as
*nix.

You're right in the fact that the code looks broken, though.

Something else: I checked the log a bit more since this morning and
I observed the following strange behavior: the source probed my
network using IP addresses but it also hit a number of times using a
domain name. This, plus the fact that a single IP was the source of
all scans lead me to think that this is a manual scan, perhapse
perpetrated from a hacked machine but probably not a worm or a botnet.

Good luck,
Stephane

Tuesday, October 11, 2005, 3:09:53 PM, you wrote:

T> Exploit was documented back in the summer and if users patched they
T> should be OK. As stated in 
T> http://forum.hardened-php.net/viewtopic.php?id=9 its a exec() 
T> exploit, What the above looks like is a piece of broken? code.  The 
T> ".60.255.44/cback" would appear to be broken. it probably was 
T> curl/get from some IP the code/script called cback which is made 
T> executable and executed with parameters of 216.55.159.52 8080.  cback 
T> appears to be the remote access trojan, BackDoor-CTM 
T> (http://vil.nai.com/vil/content/v_134857.htm).




More information about the list mailing list