< MS06-040 Update | Honeypot Compromises III >

Honeypot Compromises II

There was another compromise of our honeypots in May 2006. This time, the affected honeypot was running Red Hat 8.0 and an older version of phpAdsNew was the infection vector. Several SSH bruteforce scanner and other tools were used by the attacker - read the full analysis for a complete timeline.


Motivation:
On May 7th 2006 our Red Hat 8.0 based Honeypot was attacked and successfully compromised,
by exploiting a vulnerability in an installed web application, named phpAdsNew. The
vulnerability allows a remote attacker to execute arbitrary commands, with the privileges of the
webserver on the victim host. This flaw is due to an unspecified error in the XML-RPC library
for PHP. It was first discovered in July 2005 and affects all phpAdsNew versions up to 2.0.5.

The full analysis was written by Jan Göbel during his thesis work.
This entry was posted by Thorsten Holz on Wednesday, August 16. 2006 at 19:13. and is filed under honeynets. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.