Re: Worm hitting PHPbb2 Forums

From: lists (lists_at_innocence-lost.net)
Date: 12/21/04

  • Next message: brian_at_ethernet.org: "re: SSH scans..."
    Date: Tue, 21 Dec 2004 11:29:37 -0700 (MST)
    To: Chris Ess <securityfocus@cae.tokimi.net>
    
    

    Funny enough, I got a message from a former employer about this worm
    yesterday- a box I had setup that had hardened php on it got hit hard by
    this worm. I must've misread the advisory as I was under the impression
    that the Hardened PHP patches protected PHP through canary values from
    this bug? Or does it use more than just unserialize() (i.e. realpath() )

    Jusin F.

    --
    There are only two choices in life. You either conform the truth to your desire,
    or you conform your desire to the truth. Which choice are you making?
    On Tue, 21 Dec 2004, Chris Ess wrote:
    > Date: Tue, 21 Dec 2004 12:53:32 -0500 (EST)
    > From: Chris Ess <securityfocus@cae.tokimi.net>
    > To: L. Walker <lwalker@magi.net.au>
    > Cc: incidents@securityfocus.com
    > Subject: Re: Worm hitting PHPbb2 Forums
    >
    > > Just spotted two clients hit by this.  One client didnt update his
    > > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
    > > Chkrootkit says its Adore, however could be something else.  Datacenter
    > > wasn't very smart and has since wiped the server, so no binaries or other
    > > evidence.
    > >
    > > Generation 12 only wiped out PHP files, replacing them with its own
    > > message on other client's PHPbb2 forum.
    >
    > Generation 9 appears to overwrite files with the following extensions:
    > .htm, .php, .asp, .shtm, .jsp, .phtm
    >
    > It only displays a defacement message saying
    >
    > "NeverEverNoSanity WebWorm generation #"
    >
    > Where # is the generation of the worm.
    >
    > This bug only exploits a hole in phpBB2 as far as I can tell.  It does not
    > appear to exploit a hole within PHP.  In order to protect yourself, you
    > must upgrade phpBB2 to version 2.0.11.  See
    > http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
    >
    > The only code modification that this worm appears to do is increments its
    > generation count every time it hits a server.  Generation 9 does not
    > contain anything that would indicate the ability to install a rootkit.  I
    > suspect that the rootkit may have been installed separately.
    >
    > I extracted a full copy of generation 9 of this worm based on the access
    > logs of a site hit by it.  I was going to do a code review whenever I got
    > the chance to properly do one.
    >
    > Sincerely,
    >
    >
    > Chris Ess
    > System Administrator / CDTT (Certified Duct Tape Technician)
    >
    

  • Next message: brian_at_ethernet.org: "re: SSH scans..."

    Relevant Pages

    • Re: Linux worm crawls the web, what to do to protect our systems
      ... >> A strange worm is going around the web. ... >>some vulnerabilities in PHP. ... >>80 and the attack has been well documented by SANS. ...
      (Fedora)
    • RE: [Full-Disclosure] Re: new msblaster on the loose?
      ... If it exploits the same vulnerability, won't it be LESS effective since many people have been hit and thus patched their systems? ... Wouldn't an effective blaster variant find a different loophole? ... and the new variety may double this number. ... that this worm is any different than the first one in those cases, ...
      (Full-Disclosure)
    • Re: New version of SirCam ===w32Goner
      ... This mass mailing worm attempts to send itself using ... The worm copies itself into the WINDOWS SYSTEM folder ... Restart Windows in Safe Mode (reboot your computer, ... Type GONE.SCR and hit ENTER ...
      (Incidents)
    • Re: Linux worm crawls the web, what to do to protect our systems
      ... > A strange worm is going around the web. ... >some vulnerabilities in PHP. ... > The worm exploits PHP based vulnerabilities ... >80 and the attack has been well documented by SANS. ...
      (Fedora)
    • Re: Worm hitting PHPbb2 Forums
      ... exploit code of the original bug can be found on k-otik.com ... > Subject: Re: Worm hitting PHPbb2 Forums ... >> yesterday- a box I had setup that had hardened php on it got hit hard by ... I must've misread the advisory as I was under the impression ...
      (Incidents)