Notice Links:
Posted | Thu, 31 Oct 2013 00:05 AM UTC
Wed, 30 Oct 2013 20:05 PM EDT |
---|---|
Last Update | Thu, 31 Oct 2013 00:47 AM UTC (546 weeks ago)
Wed, 30 Oct 2013 20:47 PM EDT |
Status | Closed |
We have started seeing a number of exploited servers. The cause appears to be http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823 We are working to identify the affected server types. Currently it appears to be Debian 3, Debian 3.1, Ubuntu 11.10 or earlier. The work around is to mkdir /root/exploited; mv /usr/lib/cgi-bin/php* /root/exploited/ The fix is to upgrade to a newer/fixed version of php. Given these are older distros, a server reinstall with a recent distro is a good option. Run cat /var/spool/cron/www-data. If you see something like: Then remove that file. On Ubuntu 11.10 we note PHP 5.3.6-13ubuntu3.2 is vulnerable. But after an apt-get update; apt-get upgrade php5-cgi we get 5.3.6-13ubuntu3.10 and we did not find that vulnerable. # |
Log in to subscribe to changes to this notice.
Set your contact details for future notifications.