Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: phpAdsNew log items, vulnerabilities, fix and patch information SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
phpAdsNew log items, vulnerabilities, fix and patch information
Fotis Kouretas submitted log information related to phpAdsNew with the observation that "While xmlrpc scans are common for the last 2 days, these log snips has something special. It doesn't scan all the web servers and it know the locations of a specific target : phpAdsNew".

There were no other event log correlations, Fotis's log submission showed:

"POST /apps/media/ads/adxmlrpc.php HTTP/1.1" 406 278 "-" "-"
"POST /media/adxmlrpc.php HTTP/1.1" 406 349

The log entries may be related to a Nov 10 2005 phpAdsNew vulnerability announcement:
[Full-disclosure] [FS-05-01] Multiple vulnerabilities in phpAdsNew
phpAdsNew Affected versions:
Atleast 2.0.6, most likely others versions also.
A remote attacker could exploit this to learn installation paths on
server, as well as to locate new files and possible manually modified
If magic_quotes_gpc is off, a remote attacker can also compromise the
integrity of the database.

According to Matteo Beccati at phpAdsNew "The fix is on CVS REL_2_0 branch for now, I'll be able to make the final test and do the release in the weekend." (2005-11-12, 2005-11-13)
Project: phpAdsNew: CVS

We will post additional information from contributors as it's developed.

Thanks Fotis!

193 Posts
Nov 11th 2005

Sign Up for Free or Log In to start participating in the conversation!