Actally I was pasted on a so called exploit this afternoon which claims to
exploit via post but was only pasted on a binary,
how ever please watch out for this I beleave its a working exploit but it
also seems to open up a udp port on 3049 and some how seems to cloning the
last proc , when stracing the 3049 all it seems to do is sit there and
recv(...) and does nothing when you type anything.
binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian.
Has any one seen this about before?? Is this a trojan , if not then why does
it open udp 3049 even after a reboot.
i trace the proc opening that port kill it and it seems to clone some how my
last proc and then 2mins l8r opens the port again.
Any ideas?
----- Original Message -----
From: "Olaf Kirch" <okir_at_caldera.de>
To: "H D Moore" <hdm_at_digitaloffense.net>
Cc: <fractalg_at_highspeedweb.net>; <vuln-dev_at_securityfocus.com>
Sent: Wednesday, February 27, 2002 3:07 AM
Subject: Re: Rumours about Apache 1.3.22 exploits
> > There is a bug in the php_split_mime function in PHP 3.x and 4.x. There
is a
> > working exploit floating around which provides a remote bindshell for
PHP
> > versions 4.0.1 to 4.0.6 with a handful of default offsets for different
> > platforms.
>
> Blechch. This code is really icky. There's really an sprintf down there
> in the code that looks bad (apart from a few other things that look bad).
> But if I don't misread the patch, the sprintf is still there in 4.1.1.
>
> > Since the PHP developers commited another change to the affected
> > source file (rfc1687.c) about two days ago, speculation is that there is
yet
> > another remote exploit.
>
> Not in the public CVS (has been removed?)
>
> Olaf
> --
> Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
> okir_at_monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
> okir_at_caldera.de +-------------------- Why Not?! -----------------------
> UNIX, n.: Spanish manufacturer of fire extinguishers.
>
Received on Mar 05 2002
Intro
