Re: Worm hitting PHPbb2 Forums

From: Chris Ess (securityfocus_at_cae.tokimi.net)
Date: 12/21/04

  • Next message: Chris Ess: "Re: Worm hitting PHPbb2 Forums" 
    Date: Tue, 21 Dec 2004 12:53:32 -0500 (EST)
To: "L. Walker" <lwalker@magi.net.au>

    > Just spotted two clients hit by this. One client didnt update his
    > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
    > Chkrootkit says its Adore, however could be something else. Datacenter
    > wasn't very smart and has since wiped the server, so no binaries or other
    > evidence.
    >
    > Generation 12 only wiped out PHP files, replacing them with its own
    > message on other client's PHPbb2 forum.

    Generation 9 appears to overwrite files with the following extensions:
    .htm, .php, .asp, .shtm, .jsp, .phtm

    It only displays a defacement message saying

    "NeverEverNoSanity WebWorm generation #"

    Where # is the generation of the worm.

    This bug only exploits a hole in phpBB2 as far as I can tell. It does not
    appear to exploit a hole within PHP. In order to protect yourself, you
    must upgrade phpBB2 to version 2.0.11. See
    http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

    The only code modification that this worm appears to do is increments its
    generation count every time it hits a server. Generation 9 does not
    contain anything that would indicate the ability to install a rootkit. I
    suspect that the rootkit may have been installed separately.

    I extracted a full copy of generation 9 of this worm based on the access
    logs of a site hit by it. I was going to do a code review whenever I got
    the chance to properly do one.

    Sincerely,

    Chris Ess
    System Administrator / CDTT (Certified Duct Tape Technician)

  • Next message: Chris Ess: "Re: Worm hitting PHPbb2 Forums"

    Relevant Pages

    • RE: [Full-Disclosure] Re: new msblaster on the loose?
      ... If it exploits the same vulnerability, won't it be LESS effective since many people have been hit and thus patched their systems? ... Wouldn't an effective blaster variant find a different loophole? ... and the new variety may double this number. ... that this worm is any different than the first one in those cases, ...
      (Full-Disclosure)
    • Re: New version of SirCam ===w32Goner
      ... This mass mailing worm attempts to send itself using ... The worm copies itself into the WINDOWS SYSTEM folder ... Restart Windows in Safe Mode (reboot your computer, ... Type GONE.SCR and hit ENTER ...
      (Incidents)
    • Re: Worm hitting PHPbb2 Forums
      ... I got a message from a former employer about this worm ... yesterday- a box I had setup that had hardened php on it got hit hard by ... > Subject: Re: Worm hitting PHPbb2 Forums ... >> Just spotted two clients hit by this. ...
      (Incidents)
    • Belaboring the point of FPs
      ... I get a hit on sid 2123 - successful admin, ... The traffic is *from* our imap server on port 143 *to* an off ... someone was reading about the worm. ... - Ensure Reliable Performance of Mission Critical Applications ...
      (Focus-IDS)