Re: Worm hitting PHPbb2 Forums

From: lists (lists_at_innocence-lost.net)
Date: 12/21/04

  • Next message: brian_at_ethernet.org: "re: SSH scans..."
    Date: Tue, 21 Dec 2004 11:29:37 -0700 (MST)
    To: Chris Ess <securityfocus@cae.tokimi.net>
    
    

    Funny enough, I got a message from a former employer about this worm
    yesterday- a box I had setup that had hardened php on it got hit hard by
    this worm. I must've misread the advisory as I was under the impression
    that the Hardened PHP patches protected PHP through canary values from
    this bug? Or does it use more than just unserialize() (i.e. realpath() )

    Jusin F.

    --
    There are only two choices in life. You either conform the truth to your desire,
    or you conform your desire to the truth. Which choice are you making?
    On Tue, 21 Dec 2004, Chris Ess wrote:
    > Date: Tue, 21 Dec 2004 12:53:32 -0500 (EST)
    > From: Chris Ess <securityfocus@cae.tokimi.net>
    > To: L. Walker <lwalker@magi.net.au>
    > Cc: incidents@securityfocus.com
    > Subject: Re: Worm hitting PHPbb2 Forums
    >
    > > Just spotted two clients hit by this.  One client didnt update his
    > > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
    > > Chkrootkit says its Adore, however could be something else.  Datacenter
    > > wasn't very smart and has since wiped the server, so no binaries or other
    > > evidence.
    > >
    > > Generation 12 only wiped out PHP files, replacing them with its own
    > > message on other client's PHPbb2 forum.
    >
    > Generation 9 appears to overwrite files with the following extensions:
    > .htm, .php, .asp, .shtm, .jsp, .phtm
    >
    > It only displays a defacement message saying
    >
    > "NeverEverNoSanity WebWorm generation #"
    >
    > Where # is the generation of the worm.
    >
    > This bug only exploits a hole in phpBB2 as far as I can tell.  It does not
    > appear to exploit a hole within PHP.  In order to protect yourself, you
    > must upgrade phpBB2 to version 2.0.11.  See
    > http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
    >
    > The only code modification that this worm appears to do is increments its
    > generation count every time it hits a server.  Generation 9 does not
    > contain anything that would indicate the ability to install a rootkit.  I
    > suspect that the rootkit may have been installed separately.
    >
    > I extracted a full copy of generation 9 of this worm based on the access
    > logs of a site hit by it.  I was going to do a code review whenever I got
    > the chance to properly do one.
    >
    > Sincerely,
    >
    >
    > Chris Ess
    > System Administrator / CDTT (Certified Duct Tape Technician)
    >
    

  • Next message: brian_at_ethernet.org: "re: SSH scans..."