VeNoMouS wrote: > > Actally I was pasted on a so called exploit this afternoon which claims to > exploit via post but was only pasted on a binary, > how ever please watch out for this I beleave its a working exploit but it > also seems to open up a udp port on 3049 and some how seems to cloning the > last proc , when stracing the 3049 all it seems to do is sit there and > recv(...) and does nothing when you type anything. > > binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian. > > Has any one seen this about before?? Is this a trojan , if not then why does > it open udp 3049 even after a reboot. > i trace the proc opening that port kill it and it seems to clone some how my > last proc and then 2mins l8r opens the port again. > > Any ideas? This exploit is a trojan. Best Regards, Charles Stevenson > ----- Original Message ----- > From: "Olaf Kirch" <okirat_private> > To: "H D Moore" <hdmat_private> > Cc: <fractalgat_private>; <vuln-devat_private> > Sent: Wednesday, February 27, 2002 3:07 AM > Subject: Re: Rumours about Apache 1.3.22 exploits > > > > There is a bug in the php_split_mime function in PHP 3.x and 4.x. There > is a > > > working exploit floating around which provides a remote bindshell for > PHP > > > versions 4.0.1 to 4.0.6 with a handful of default offsets for different > > > platforms. > > > > Blechch. This code is really icky. There's really an sprintf down there > > in the code that looks bad (apart from a few other things that look bad). > > But if I don't misread the patch, the sprintf is still there in 4.1.1. > > > > > Since the PHP developers commited another change to the affected > > > source file (rfc1687.c) about two days ago, speculation is that there is > yet > > > another remote exploit. > > > > Not in the public CVS (has been removed?) > > > > Olaf > > -- > > Olaf Kirch | --- o --- Nous sommes du soleil we love when we play > > okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax > > okirat_private +-------------------- Why Not?! ----------------------- > > UNIX, n.: Spanish manufacturer of fire extinguishers. > >
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 12:08:46 PST