John D.
Feb 2 2006, 10:26 AM
I searched but couldn't find any info on this recent exploit. It dumps many different .php files and .htaccess files in your system that use base64 to redirect pages. It appears to be fairly widespread. Some of the file names it inserts include:
finfo.php
time.php
date.php
many others
Is there any info available about points of entry for this exploit and corrective actions to prevent future occurences?
klaude
Feb 2 2006, 10:36 AM
This blog says its a PHP Nuke exploit.
Matt2k
Feb 2 2006, 11:26 AM
I think my grandmother wrote a PHP-Nuke exploit once. Mango.dropper
John D.
Feb 3 2006, 09:47 AM
Thanks. Yes, that blog was very helpful when we first discovered the exploit. We were wondering if that was the only point of entry, or if anyone had found it to be using other software as well.
lvanderb
Feb 4 2006, 07:17 AM
I also read it could be phpBB, but we have neither phpBB nor phpNuke on our server, how can we find out where and how the exploit happened so we can block that hole?
Linda
John D.
Feb 7 2006, 11:46 AM
That's what we'd like to know as well. Ethan's blog is down at the moment, but I believe he searched his httpd log to discover how they first gained entry to his system. We're just not sure exactly what to look for, and of course that log gets purged often due to its size.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.