Re: [tlug] Clamav reports a virus: Exploit.Gif.PHPembedded

["Hung Nguyen Vu" <vuhung16plus+shape@example.com>]

On Thu, Jun 5, 2008 at 4:54 PM, Edmund Edgar <lists@example.com> wrote:
> I'm talking about what happens if the jpeg file with the PHP content
> in it gets run by the PHP interpreter.
Oh, it does:

php freebsd.jpg

really "executes" the code in the command.

Please read on.

> Likewise, if you put the file up on a website with PHP enabled and
> loaded it in a web browser, you'd get some binary junk, followed by a
> directory listing, followed by some more binary junk.
I don't get you.

If "he" wants to execute "php freebsd.jpg" he need a shell first.
In the first place, "he" has nothing more than uploading files( jpeg files )
to my web server. So I assume that he didn't harm my server.

This is freebsd.jpg when loaded with a browser ( Apache 2.0.x, PHP 5.2 ):
http://aoclife.ddo.jp/tmp/freebsd.jpg
The FreeBSE deamon is there, and I don't see any binary junk.

Can you give me a POC?

-- 
Best Regards,
Nguyen Hung Vu ( Nguyễn Vũ Hưng )
vuhung16plus{remove}@example.com , YIM: vuhung16
Japan through an eye of a gaijin:
http://www.flickr.com/photos/vuhung/tags/fav/