Ran into some unusual behavior the other day one one of the servers I
maintain. Checking through the logs and files I encountered some hits
that looked remarkably like the phpBB2 exploits that have been in
circulation, and a directory in /var/tmp called /var/tmp/.sgurz which
had 36 files named boink.nn (boink through boink.36). The files
appeared to be very slight variants on the same worm.
Eg:
Variant 1:
#############################################################
# Developed by br0k3d #
# For educational purpose only #
# Based ( almost ripped ) at ASW Worm! #
# Just made it fo study perl ;) #
# 2nd Version - Fuckz Google #
# => br0k3d@gmail.com <= #
#############################################################
Variant 2:
#############################################################
# Developed by br0k3d #
# For educational purpose only #
# Based ( almost ripped ) at ASW Worm! #
# Just made it fo study perl ;) #
# 2nd Version - Fuckz Google #
# 3rd Version - modernbill version (was phpbb) from tillo #
# => you can find me <= #
#############################################################
Cleanup was straightforward. The system was infected for about 12 hours
before it was noticed and eradicated. All files were dropped in
/var/tmp and the site that was hosting the worm source was off the air
by the time I found the infection. I'm curious if anyone's seen this
variant in the wild.
Cheers,
L4J
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
