We're looking into a host compromise reported by Mike, a diary reader. Mike reported a PHP remote file inclusion attack against an Open Conference Systems web application used in his organization. A modified r57shell php script was used to compromise the system.
A vulnerability disclosure for the Open Conference System was posted to BugTraq on Friday October 13th which mentions that version <= 1.1.3 are vulnerable. Interestingly enough, the official software distribution site at http://pkp.sfu.ca/ocs_download/ states that all versions prior to version 1.1.6 are vulnerable. Take a look at your respective environments to determine if you are running OCS software, and if you find it... Do I have to say it? Patch.
The time between vulnerability disclosure and determined time of host compromise in this case was approximately 1.5 hours. I can only speculate as to how many hosts have already or are yet to become phishing sites, spammer nodes, iframe exploit hosts or fall prey to any other manner of abuse due to this vulnerability.
If you do have OCS installed, a quick check for abuse could be indicated by the following command line statement.
grep "fullpath=http:" YourWebServerLogLocation.log
Handler on Duty
Oct 16th 2006
1 decade ago