Re: Worm hitting PHPbb2 Forums
From: lists (lists_at_innocence-lost.net)
Date: 12/21/04
- Previous message: Mike: "RE: Worm hitting PHPbb2 Forums"
- In reply to: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Next in thread: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Reply: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 Dec 2004 11:29:37 -0700 (MST) To: Chris Ess <securityfocus@cae.tokimi.net>
Funny enough, I got a message from a former employer about this worm
yesterday- a box I had setup that had hardened php on it got hit hard by
this worm. I must've misread the advisory as I was under the impression
that the Hardened PHP patches protected PHP through canary values from
this bug? Or does it use more than just unserialize() (i.e. realpath() )
Jusin F.
-- There are only two choices in life. You either conform the truth to your desire, or you conform your desire to the truth. Which choice are you making? On Tue, 21 Dec 2004, Chris Ess wrote: > Date: Tue, 21 Dec 2004 12:53:32 -0500 (EST) > From: Chris Ess <securityfocus@cae.tokimi.net> > To: L. Walker <lwalker@magi.net.au> > Cc: incidents@securityfocus.com > Subject: Re: Worm hitting PHPbb2 Forums > > > Just spotted two clients hit by this. One client didnt update his > > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16. > > Chkrootkit says its Adore, however could be something else. Datacenter > > wasn't very smart and has since wiped the server, so no binaries or other > > evidence. > > > > Generation 12 only wiped out PHP files, replacing them with its own > > message on other client's PHPbb2 forum. > > Generation 9 appears to overwrite files with the following extensions: > .htm, .php, .asp, .shtm, .jsp, .phtm > > It only displays a defacement message saying > > "NeverEverNoSanity WebWorm generation #" > > Where # is the generation of the worm. > > This bug only exploits a hole in phpBB2 as far as I can tell. It does not > appear to exploit a hole within PHP. In order to protect yourself, you > must upgrade phpBB2 to version 2.0.11. See > http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 > > The only code modification that this worm appears to do is increments its > generation count every time it hits a server. Generation 9 does not > contain anything that would indicate the ability to install a rootkit. I > suspect that the rootkit may have been installed separately. > > I extracted a full copy of generation 9 of this worm based on the access > logs of a site hit by it. I was going to do a code review whenever I got > the chance to properly do one. > > Sincerely, > > > Chris Ess > System Administrator / CDTT (Certified Duct Tape Technician) >
- Previous message: Mike: "RE: Worm hitting PHPbb2 Forums"
- In reply to: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Next in thread: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Reply: Chris Ess: "Re: Worm hitting PHPbb2 Forums"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
