Re: Possible apache2/php 4.3.9 worm

[Pamela Patterson <ppatters () cbnco com>]

On Tue, 2004-12-21 at 10:32, Alex Schultz wrote:
> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache.  The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
>  <HTML>
>  <HEAD> 
>  <TITLE>This site is defaced!!!</TITLE> 
>  </HEAD>
> <BODY bgcolor="#000000" text="#FF0000"> 
> <H1>This site is defaced!!!</H1> 
> <HR> 
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before?  Also is there anything I should be aware of such as a
> possible binary that may have been dropped?  Could this have been
> accomplised by the upload path traversal vulnerability?  Google returns
> nothing.

It seems to be a worm exploiting a recent hole in PhPBB.

http://groups.google.ca/groups?hl=en&lr=&safe=off&threadm=nrWdna_Pae7yNlrcRVn-gw%40comcast.com&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26selm%3DnrWdna_Pae7yNlrcRVn-gw%2540comcast.com

-- 
Pamela Patterson, B.Eng, GCFA
Senior Systems Administrator
Canadian Bank Note Company, Limited
http://www.cbnco.com
------------------------------------------------------------------
There are two kinds of sysadmins: paranoids and losers.
I'm both kinds.
------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html