Tracing image.php vulnerable script
Code:
root@server4 [/home/ammo/public_html/modules/PNphpBB2/files]# ls -lh total 28K drwxr-xr-x 4 ammo ammo 4.0K Feb 10 22:43 ./ drwxr-xr-x 15 ammo ammo 4.0K Jan 2 14:19 ../ drwxr-xr-x 3 nobody nobody 4.0K Feb 9 17:22 .../ -rw-r--r-- 1 nobody nobody 7.4K May 2 2005 image.php -rw-r--r-- 1 ammo ammo 169 Jan 2 13:57 index.htm drwxr-xr-x 2 ammo ammo 4.0K Jan 2 13:57 thumbs/
Code:
root@server4 [/home/ammo/public_html/modules/PNphpBB2/files]# stat image.php File: `image.php' Size: 7545 Blocks: 16 IO Block: 4096 regular file Device: 803h/2051d Inode: 28100181 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 99/ nobody) Gid: ( 99/ nobody) Access: 2006-02-10 22:43:45.907556072 -0600 Modify: 2005-05-02 10:05:03.000000000 -0500 Change: 2006-02-10 22:43:00.664434072 -0600
Code:
root@server4 [/usr/local/apache/domlogs]# grep image.php clientdomain.com xx.xxx.107.35 - - [10/Feb/2006:22:28:12 -0600] "GET /modules/PNphpBB2/files/image.php HTTP/1.1" 401 706 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727) Netscape/8.1" xx.xxx.107.35 - - [10/Feb/2006:22:28:16 -0600] "GET /modules/PNphpBB2/files/phpshell.css HTTP/1.1" 404 - "http://clientdomain.com/modules/PNphpBB2/files/image.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727) Netscape/8.1"
Code:
root@server4 [/usr/local/apache/domlogs]# ps axw | grep image.php 15350 pts/1 S+ 0:00 grep image.php root@server4 [/usr/local/apache/domlogs]# ls -l /proc/15350/exe /bin/ls: /proc/15350/exe: No such file or directory
