[WBEL-users] Severe PHP vulnerability??
Pucky Loucks
ploucks@h2st.com
Mon, 20 Dec 2004 12:15:13 -0800
I just got this 1 hour ago on my production servers using phpbb. does
anyone know if this is a full fledge compromise or is this a script
kitty. If I can help in any way Mike, just let me know.
thanks,
Pucky
On 20-Dec-04, at 11:51 AM, Mike Staver wrote:
> I sent out an email with an attachment for people to check out, but
> apparently the list doesn't accept attachments without approval.
> Basically, I was just saying that I've been comprimised by this new
> security hole already. A worm called the NeverEverNoSanity WebWorm
> generation 9. I can't find squat on google about this, so all I have
> done right now is kill apache. Every php file on my entire system
> that was web accessible has been replaced with this lovely text:
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD><BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 9.</b></ADDRESS>
> </BODY></HTML>
>
> So, my point is, updated PHP rpms would be appreciated. Also, I want
> to throw time at this to make a contribution to the project - can
> somebody tell me how to snag the source if any update RH updates
> exist, and then how to roll them for WBEL?
>
> Johnny Hughes wrote:
>> On Sat, 2004-12-18 at 16:18 -0500, jk42@bitbuckets.com wrote:
>>> Hello all,
>>>
>>> By now I'm sure everyone is aware of the major vulnerability with PHP
>>> versions prior to 4.3.9 or 5.0.2. There are actually a number of
>>> different problems, but all (except one, which is currently being
>>> exploited) are only problems for hosts which allow users to create
>>> their
>>> own PHP pages. The one remotely exploitable attack, which deals
>>> with the
>>> unserialize() call (and on Athlon64 systems has been demonstrated to
>>> execute shell code with the privileges of the web server process), is
>>> widely used.
>>>
>>> http://www.hardened-php.net/advisories/012004.txt
>>>
>>> What are other WBEL users doing to protect themselves? The only
>>> updates I
>>> have found are source code downloads of PHP 4.3.10 or 5.0.3, and
>>> from what
>>> I hear it's a royal pain to recomple PHP and all the drivers. WBEL
>>> has
>>> version 4.3.2.
>>>
>>> Does anyone know of a solution to this, while we wait for RedHat to
>>> release an official RHEL fix? Does someone know where the
>>> unserialize
>>> problem is and how to fix it - perhaps I could backport the fix to
>>> the
>>> 4.3.2 WBEL packages. I'll do some research and let everyone know.
>> These packages are released, but unsupported for RHEL3:
>> http://people.redhat.com/jorton/Taroon-php/
>> _______________________________________________
>> Whitebox-users mailing list
>> Whitebox-users@beau.org
>> http://beau.org/mailman/listinfo/whitebox-users
>
> --
>
> -Mike Staver
> staver@fimble.com
> mstaver@globaltaxnetwork.com
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
>