Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Worm hitting PHPbb2 Forums

from [Chris Ess] Network Security [Permanent Link]
Subject: Re: Worm hitting PHPbb2 Forums
Date: Tue, 21 Dec 2004 12:53:32 -0500 (EST) 
Just spotted two clients hit by this.  One client didnt update his
software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
Chkrootkit says its Adore, however could be something else.  Datacenter
wasn't very smart and has since wiped the server, so no binaries or other
evidence.

Generation 12 only wiped out PHP files, replacing them with its own
message on other client's PHPbb2 forum.


Generation 9 appears to overwrite files with the following extensions:
.htm, .php, .asp, .shtm, .jsp, .phtm

It only displays a defacement message saying

"NeverEverNoSanity WebWorm generation #"

Where # is the generation of the worm.

This bug only exploits a hole in phpBB2 as far as I can tell.  It does not
appear to exploit a hole within PHP.  In order to protect yourself, you
must upgrade phpBB2 to version 2.0.11.  See
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

The only code modification that this worm appears to do is increments its
generation count every time it hits a server.  Generation 9 does not
contain anything that would indicate the ability to install a rootkit.  I
suspect that the rootkit may have been installed separately.

I extracted a full copy of generation 9 of this worm based on the access
logs of a site hit by it.  I was going to do a code review whenever I got
the chance to properly do one.

Sincerely,


Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Worm hitting PHPbb2 Forums, mark
Next by Date:  Re: Worm hitting PHPbb2 Forums, Chris Ess
Previous by Thread:  Re: Worm hitting PHPbb2 Forums, mark
Next by Thread:  Re: Worm hitting PHPbb2 Forums, lists
Indexes:  [Date] [Thread] [Top] [All Lists]