-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, snort picked up the following yesterday evening: [complete packeted dump attached] [GMT+1, yesterday] 49649| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 php content-disposition 49648| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 SHELLCODE x86 EB OC NOOP 49647| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 SHELLCODE x86 EB OC NOOP 49646| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 SHELLCODE x86 EB OC NOOP 49645| [18:39:00] 65.89.43.125:4053 -> a.b.c.4:80 php content-disposition 49644| [18:39:00] 65.89.43.125:4040 -> a.b.c.4:80 php content-disposition 49643| [18:39:00] 65.89.43.125:4039 -> a.b.c.4:80 php content-disposition 49642| [18:38:59] 65.89.43.125:4038 -> a.b.c.4:80 php content-disposition 49641| [18:38:59] 65.89.43.125:4037 -> a.b.c.4:80 php content-disposition 49640| [18:38:59] 65.89.43.125:4036 -> a.b.c.4:80 php content-disposition 49639| [18:38:58] 65.89.43.125:4035 -> a.b.c.4:80 php content-disposition 49638| [18:38:58] 65.89.43.125:4034 -> a.b.c.4:80 php content-disposition 49637| [18:38:58] 65.89.43.125:4033 -> a.b.c.4:80 php content-disposition 49636| [18:38:58] 65.89.43.125:4032 -> a.b.c.4:80 php content-disposition 49635| [18:38:57] 65.89.43.125:4031 -> a.b.c.4:80 php content-disposition 49634| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 php content-disposition 49633| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 SHELLCODE x86 EB OC NOOP 49632| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 SHELLCODE x86 EB OC NOOP 49631| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 SHELLCODE x86 EB OC NOOP 49630| [18:38:55] 65.89.43.125:4018 -> a.b.c.34:80 php content-disposition 49629| [18:38:55] 65.89.43.125:4013 -> a.b.c.34:80 php content-disposition 49628| [18:38:54] 65.89.43.125:4012 -> a.b.c.34:80 php content-disposition 49627| [18:38:54] 65.89.43.125:4011 -> a.b.c.34:80 php content-disposition 49626| [18:38:54] 65.89.43.125:4010 -> a.b.c.34:80 php content-disposition 49625| [18:38:54] 65.89.43.125:4009 -> a.b.c.34:80 php content-disposition 49624| [18:38:53] 65.89.43.125:4008 -> a.b.c.34:80 php content-disposition 49623| [18:38:53] 65.89.43.125:4007 -> a.b.c.34:80 php content-disposition 49622| [18:38:53] 65.89.43.125:4006 -> a.b.c.34:80 php content-disposition 49621| [18:38:53] 65.89.43.125:4004 -> a.b.c.34:80 php content-disposition 49620| [18:38:52] 65.89.43.125:4003 -> a.b.c.34:80 php content-disposition 49619| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 php content-disposition 49618| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 SHELLCODE x86 EB OC NOOP 49617| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 SHELLCODE x86 EB OC NOOP 49616| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 SHELLCODE x86 EB OC NOOP 49615| [18:38:50] 65.89.43.125:3989 -> a.b.c.33:80 php content-disposition 49614| [18:38:50] 65.89.43.125:3975 -> a.b.c.33:80 php content-disposition 49613| [18:38:49] 65.89.43.125:3974 -> a.b.c.33:80 php content-disposition 49612| [18:38:49] 65.89.43.125:3973 -> a.b.c.33:80 php content-disposition 49611| [18:38:49] 65.89.43.125:3972 -> a.b.c.33:80 php content-disposition 49610| [18:38:48] 65.89.43.125:3971 -> a.b.c.33:80 php content-disposition 49609| [18:38:48] 65.89.43.125:3970 -> a.b.c.33:80 php content-disposition 49608| [18:38:48] 65.89.43.125:3969 -> a.b.c.33:80 php content-disposition 49607| [18:38:48] 65.89.43.125:3965 -> a.b.c.33:80 php content-disposition 49606| [18:38:47] 65.89.43.125:3961 -> a.b.c.33:80 php content-disposition 49605| [18:38:47] 65.89.43.125:3957 -> a.b.c.33:80 php content-disposition here he stopped, there are a few web servers left in our /24, so i put up tcpdump maybe i'll get a few complete traces... The client machine tells me the following: > telnet 65.89.43.125 80 Trying 65.89.43.125... Connected to 65.89.43.125. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 19 Jun 2002 19:34:10 GMT Server: Apache/1.3.14 (Unix) PHP/4.0.4pl1 Connection: close Content-Type: text/html so it seems vulnerable... i've never seen this in the wild until right now... has anyone seen large (or any) activity regarding the php file upload bug ? Or am i only overly nervous because of the recent apache / openssh problems ? Greetings, Roland -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE9GKLqTyqg9LmJhHMRAhX9AKDUjaqeroZ+GPy0FRC0TUrb4q+9aACfR/r+ g+hfktzcIV9aLGGnbBp0wcU= =ti8P -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 08:35:58 PDT