Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Possible apache2/php 4.3.9 worm
From: Pamela Patterson <ppatters () cbnco com>
Date: Tue, 21 Dec 2004 12:34:18 -0500

On Tue, 2004-12-21 at 10:32, Alex Schultz wrote:
Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache.  The worm put the following html in place of what was there:
 <TITLE>This site is defaced!!!</TITLE> 
<BODY bgcolor="#000000" text="#FF0000"> 
<H1>This site is defaced!!!</H1> 
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS> 

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before?  Also is there anything I should be aware of such as a
possible binary that may have been dropped?  Could this have been
accomplised by the upload path traversal vulnerability?  Google returns

It seems to be a worm exploiting a recent hole in PhPBB.


Pamela Patterson, B.Eng, GCFA
Senior Systems Administrator
Canadian Bank Note Company, Limited
There are two kinds of sysadmins: paranoids and losers.
I'm both kinds.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]