Re: phpBB Worm

From: Raymond Dijkxhoorn (raymond_at_prolocation.net)
Date: 12/21/04

  • Next message: customer service mailbox: "iDEFENSE Security Advisory 12.21.04: Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability" 
    Date: Tue, 21 Dec 2004 23:28:42 +0100 (CET)
To: Shannon Lee <shannon@webhostworks.net>

    Hi!

    > After some investigation, we determined that the attacker had gained
    > access via phpbb in a series of crafted URL requests, like so:
    >
    > 64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
    > /viewtopic.php?p=9002&sid=f5
    > 399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr
    > (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch
    > r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)
    > %252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252
    > echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech
    > r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
    > OMITTED.com/

    If you cannot fix it (virtual servers) fast for all your clients you could
    also try with something like this:

             RewriteEngine On
             RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
             RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
             RewriteRule ^.*$ - [F]

    We had some vhosts where this worked just fine. On our systems we didnt
    see any valid request with echr and esystem, just be gentle with it, it
    works for me, it could work for you ;)

    Bye,
    Raymond.

  • Next message: customer service mailbox: "iDEFENSE Security Advisory 12.21.04: Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability"