Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache. The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
</BODY>
</HTML>
We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before? Also is there anything I should be aware of such as a
possible binary that may have been dropped? Could this have been
accomplised by the upload path traversal vulnerability? Google returns
nothing.
Thanks
-Alex Schultz
--
gentoo-security@gentoo.org mailing list
It overwrote all .php/.html files that were owner writable and owned by
apache. The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
</BODY>
</HTML>
We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before? Also is there anything I should be aware of such as a
possible binary that may have been dropped? Could this have been
accomplised by the upload path traversal vulnerability? Google returns
nothing.
Thanks
-Alex Schultz
--
gentoo-security@gentoo.org mailing list