[Dshield] Sidewinder Command/Safemode Exploit 4.1 (PHP.Chaploit)

Maxime Ducharme mducharme at cybergeneration.com
Mon Jan 9 17:00:02 GMT 2006


we got hit by whats looks like a bot
trying to inject PHP.Chaploit in our sites

Host is in 202.226.224.*
User-Agent : lwp-trivial/1.35

the bot hit one of our dynamic pages (ASP)
trying to inject the PHP script located on

Full URL was


obviously trying to inject PHP in ASP isnt a good idea,
thats what makes me think this is automated (and dumb) attack

Virustotal says :
AntiVir 01.09.2006 Linux/Rootkit 
Avast 4.6.695.0 01.09.2006 PHP:Chaploit 
Avira 01.09.2006 Linux/Rootkit 
DrWeb 4.33 01.09.2006 PHP.Chaploit 
Kaspersky 01.09.2006 Exploit.PHP.e 
McAfee 4669 01.06.2006 PHP/Chaploit 
(other didnt detect anything)

I also advised sysadmin of the web server hosting this

i just wanted to share this information with the community

have a nice day

Maxime Ducharme

More information about the list mailing list