Security Incidents mailing list archives
New variant against phpBB2?
From: Mister Coffee <live4java () stormcenter net>
Date: Mon, 25 Apr 2005 13:16:53 -0700
Ran into some unusual behavior the other day one one of the servers I maintain. Checking through the logs and files I encountered some hits that looked remarkably like the phpBB2 exploits that have been in circulation, and a directory in /var/tmp called /var/tmp/.sgurz which had 36 files named boink.nn (boink through boink.36). The files appeared to be very slight variants on the same worm.
Eg: Variant 1: ############################################################# # Developed by br0k3d # # For educational purpose only # # Based ( almost ripped ) at ASW Worm! # # Just made it fo study perl ;) # # 2nd Version - Fuckz Google # # => br0k3d () gmail com <= # ############################################################# Variant 2: ############################################################# # Developed by br0k3d # # For educational purpose only # # Based ( almost ripped ) at ASW Worm! # # Just made it fo study perl ;) # # 2nd Version - Fuckz Google # # 3rd Version - modernbill version (was phpbb) from tillo # # => you can find me <= # #############################################################Cleanup was straightforward. The system was infected for about 12 hours before it was noticed and eradicated. All files were dropped in /var/tmp and the site that was hosting the worm source was off the air by the time I found the infection. I'm curious if anyone's seen this variant in the wild.
Cheers, L4J -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Attacks vs Probes James C Slora Jr (Apr 15)
- Re: Attacks vs Probes Javier Fernandez-Sanguino (Apr 18)
- New variant against phpBB2? Mister Coffee (Apr 25)