Honeypot Compromises II
Wednesday, August 16. 2006
There was another compromise of our honeypots in May 2006. This time, the affected honeypot was running Red Hat 8.0 and an older version of phpAdsNew was the infection vector. Several SSH bruteforce scanner and other tools were used by the attacker - read the full analysis for a complete timeline.
Motivation:
On May 7th 2006 our Red Hat 8.0 based Honeypot was attacked and successfully compromised,
by exploiting a vulnerability in an installed web application, named phpAdsNew. The
vulnerability allows a remote attacker to execute arbitrary commands, with the privileges of the
webserver on the victim host. This flaw is due to an unspecified error in the XML-RPC library
for PHP. It was first discovered in July 2005 and affects all phpAdsNew versions up to 2.0.5.
The full analysis was written by Jan Göbel during his thesis work.
Motivation:
On May 7th 2006 our Red Hat 8.0 based Honeypot was attacked and successfully compromised,
by exploiting a vulnerability in an installed web application, named phpAdsNew. The
vulnerability allows a remote attacker to execute arbitrary commands, with the privileges of the
webserver on the victim host. This flaw is due to an unspecified error in the XML-RPC library
for PHP. It was first discovered in July 2005 and affects all phpAdsNew versions up to 2.0.5.
The full analysis was written by Jan Göbel during his thesis work.
".
