....
 

Guardian Digital Inc. > InfoCenter > Mailing List Archives > Full Disclosure

Full Disclosure Mailing List Archive

From: Alex Schultz (aschultz@echo-inc.com)
Date: Tue Dec 21 2004 - 10:32:20 EST


Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache. The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <HTML>
 <HEAD>
 <TITLE>This site is defaced!!!</TITLE>
 </HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before? Also is there anything I should be aware of such as a
possible binary that may have been dropped? Could this have been
accomplised by the upload path traversal vulnerability? Google returns
nothing.

Thanks
-Alex Schultz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.