Bugtraq mailing list archives
Re: phpBB Worm
From: Raymond Dijkxhoorn <raymond () prolocation net>
Date: Tue, 21 Dec 2004 23:28:42 +0100 (CET)
Hi!
After some investigation, we determined that the attacker had gained access via phpbb in a series of crafted URL requests, like so: 64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET /viewtopic.php?p=9002&sid=f5 399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47) %252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252 echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE OMITTED.com/
If you cannot fix it (virtual servers) fast for all your clients you could also try with something like this:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ - [F]
We had some vhosts where this worked just fine. On our systems we didnt
see any valid request with echr and esystem, just be gentle with it, it
works for me, it could work for you ;)
Bye, Raymond.
Current thread:
- phpBB Worm Shannon Lee (Dec 21)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 21)
- Re: phpBB Worm Sebastian Wiesinger (Dec 22)
- Re: phpBB Worm William Geoghegan (Dec 23)
- Re: phpBB Worm Anders Henke (Dec 23)
- Re: phpBB Worm Sebastian Wiesinger (Dec 22)
- RE: phpBB Worm Paul Kurczaba (Dec 21)
- Re: phpBB Worm Alexander Klimov (Dec 22)
- <Possible follow-ups>
- Re: phpBB Worm ycw1bh302 (Dec 22)
- Re: phpBB Worm Alvin Packard (Dec 23)
- Re: phpBB Worm Anders Henke (Dec 23)
- RE: phpBB Worm Ofer Shezaf (Dec 23)
- RE: phpBB Worm Chris Ess (Dec 25)
(Thread continues...)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 21)