Security Incidents mailing list archives

New variant against phpBB2?

From: Mister Coffee <live4java () stormcenter net>
Date: Mon, 25 Apr 2005 13:16:53 -0700

Ran into some unusual behavior the other day one one of the servers Imaintain. Checking through the logs and files I encountered some hitsthat looked remarkably like the phpBB2 exploits that have been incirculation, and a directory in /var/tmp called /var/tmp/.sgurz whichhad 36 files named boink.nn (boink through boink.36). The filesappeared to be very slight variants on the same worm.


Eg:

Variant 1:
#############################################################
#   Developed by br0k3d                                     #
#   For educational purpose only                            #
#   Based ( almost ripped ) at ASW Worm!                    #
#   Just made it fo study perl ;)                           #
#   2nd Version - Fuckz Google                              #
#   => br0k3d () gmail com <=                                  #
#############################################################

Variant 2:
#############################################################
#   Developed by br0k3d                                     #
#   For educational purpose only                            #
#   Based ( almost ripped ) at ASW Worm!                    #
#   Just made it fo study perl ;)                           #
#   2nd Version - Fuckz Google                              #
#   3rd Version - modernbill version (was phpbb) from tillo #
#   => you can find me <=                                   #
#############################################################

Cleanup was straightforward. The system was infected for about 12 hoursbefore it was noticed and eradicated. All files were dropped in/var/tmp and the site that was hosting the worm source was off the airby the time I found the infection. I'm curious if anyone's seen thisvariant in the wild.


Cheers,
L4J

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

Current thread:

Attacks vs Probes James C Slora Jr (Apr 15)
- Re: Attacks vs Probes Javier Fernandez-Sanguino (Apr 18)
- New variant against phpBB2? Mister Coffee (Apr 25)