Actally I was pasted on a so called exploit this afternoon which claims to exploit via post but was only pasted on a binary, how ever please watch out for this I beleave its a working exploit but it also seems to open up a udp port on 3049 and some how seems to cloning the last proc , when stracing the 3049 all it seems to do is sit there and recv(...) and does nothing when you type anything. binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian. Has any one seen this about before?? Is this a trojan , if not then why does it open udp 3049 even after a reboot. i trace the proc opening that port kill it and it seems to clone some how my last proc and then 2mins l8r opens the port again. Any ideas? ----- Original Message ----- From: "Olaf Kirch" <okirat_private> To: "H D Moore" <hdmat_private> Cc: <fractalgat_private>; <vuln-devat_private> Sent: Wednesday, February 27, 2002 3:07 AM Subject: Re: Rumours about Apache 1.3.22 exploits > > There is a bug in the php_split_mime function in PHP 3.x and 4.x. There is a > > working exploit floating around which provides a remote bindshell for PHP > > versions 4.0.1 to 4.0.6 with a handful of default offsets for different > > platforms. > > Blechch. This code is really icky. There's really an sprintf down there > in the code that looks bad (apart from a few other things that look bad). > But if I don't misread the patch, the sprintf is still there in 4.1.1. > > > Since the PHP developers commited another change to the affected > > source file (rfc1687.c) about two days ago, speculation is that there is yet > > another remote exploit. > > Not in the public CVS (has been removed?) > > Olaf > -- > Olaf Kirch | --- o --- Nous sommes du soleil we love when we play > okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax > okirat_private +-------------------- Why Not?! ----------------------- > UNIX, n.: Spanish manufacturer of fire extinguishers. >
This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 23:20:14 PST