[WBEL-users] Severe PHP vulnerability??
Mike Staver
staver@fimble.com
Mon, 20 Dec 2004 12:51:22 -0700
I sent out an email with an attachment for people to check out, but
apparently the list doesn't accept attachments without approval.
Basically, I was just saying that I've been comprimised by this new
security hole already. A worm called the NeverEverNoSanity WebWorm
generation 9. I can't find squat on google about this, so all I have
done right now is kill apache. Every php file on my entire system that
was web accessible has been replaced with this lovely text:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD><BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 9.</b></ADDRESS>
</BODY></HTML>
So, my point is, updated PHP rpms would be appreciated. Also, I want to
throw time at this to make a contribution to the project - can somebody
tell me how to snag the source if any update RH updates exist, and then
how to roll them for WBEL?
Johnny Hughes wrote:
> On Sat, 2004-12-18 at 16:18 -0500, jk42@bitbuckets.com wrote:
>
>>Hello all,
>>
>>By now I'm sure everyone is aware of the major vulnerability with PHP
>>versions prior to 4.3.9 or 5.0.2. There are actually a number of
>>different problems, but all (except one, which is currently being
>>exploited) are only problems for hosts which allow users to create their
>>own PHP pages. The one remotely exploitable attack, which deals with the
>>unserialize() call (and on Athlon64 systems has been demonstrated to
>>execute shell code with the privileges of the web server process), is
>>widely used.
>>
>>http://www.hardened-php.net/advisories/012004.txt
>>
>>What are other WBEL users doing to protect themselves? The only updates I
>>have found are source code downloads of PHP 4.3.10 or 5.0.3, and from what
>>I hear it's a royal pain to recomple PHP and all the drivers. WBEL has
>>version 4.3.2.
>>
>>Does anyone know of a solution to this, while we wait for RedHat to
>>release an official RHEL fix? Does someone know where the unserialize
>>problem is and how to fix it - perhaps I could backport the fix to the
>>4.3.2 WBEL packages. I'll do some research and let everyone know.
>
>
> These packages are released, but unsupported for RHEL3:
>
> http://people.redhat.com/jorton/Taroon-php/
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
--
-Mike Staver
staver@fimble.com
mstaver@globaltaxnetwork.com