[VIM] RFI BotNet and phpBB 0-day?

security curmudgeon jericho at attrition.org
Thu Mar 20 18:12:32 UTC 2008


: If your bored I have a few rfi's for you to go through :)
: 
: # wc -l
: todays-rfi-bots.txt                                                                                                                                                                                       
: 
:    44737 todays-rfi-bots.txt
: 
: The file will show the number of uniq entries that have hit milw0rm in 
: the past 24 hours requesting http inclusions.  People forget to remove 
: milw0rm from their rfi scans.

Hah, this is what I was thinking of doing but automating it more to pull 
them out nightly. If time permitted, I was going to get fancy and have it 
weed out known vulnerabilities. If not, I wonder if there are a few folks 
that could check them if we mail them here with a little research already 
done.

Obviously we all want to track vulnerabilities in our respective 
databases, but these are of specific interest for several reasons. 
Primarily, they are being actively exploited in the wild and would qualify 
for 'undercover vulnerabilities' [1].

I'm also curious if these suffer from the 'grep and gripe' false positives 
that we see on the mail lists, and if the botnet is essentially trying to 
do inclusions on scripts that aren't really vulnerable in the first place.

.b

[1] http://osvdb.org/blog/?p=227


More information about the VIM mailing list