Bugtraq mailing list archives
WebWorm using PHPBB vulnerability in the wild!
From: Niki Denev <nike_d () cytexbg com>
Date: Tue, 21 Dec 2004 01:42:22 +0200
There have been reports of WebWorm exploting PHPBB's urldecode vulnerability.
The worm uses this to create a perl script on the server and start it. After the perl script starts it wipes itself out, then begans to searchvia google.com/advanced_search for exploitable viewtopic.php files part from the vulnerable PHPBB distributions. Then the worm replicates itself by using the vulnerability, and also overwrites any files on the disk that it has permission to. Machines running the worm script will have perl process with name 'm1ho2of' running.
But this likely will change when the people start to notice it.The possible solution is to patch or disable the vulnerable PHPBB installations.
--niki
Attachment:
_bin
Description:
Current thread:
- WebWorm using PHPBB vulnerability in the wild! Niki Denev (Dec 21)
- Re: WebWorm using PHPBB vulnerability in the wild! Nick Johnson (Dec 22)