Security Incidents mailing list archives

Re: Worm hitting PHPbb2 Forums

From: Barrie Dempster <barrie () reboot-robot net>
Date: Tue, 21 Dec 2004 21:00:04 +0000

On Tue, 2004-12-21 at 12:21 -0700, lists wrote:

Yea good catch, after looking into it a little further I found that it
wasn't related to that advisory, but rather to one from 11.13.04, the
exploit code of the original bug can be found on k-otik.com

Thanks for the info


More information:

Mis-reported and then corrected at the ISC -
http://isc.sans.org/diary.php?date=2004-12-21 

* The advisory is here - htp://howdark.com/ 
(it was there when the advisory was initially released but that site
seems down atm, included here in hope that howdark.com resurfaces)

* The fix is here - http://www.phpbb.com/phpBB/viewtopic.php?t=240513

* The exploit is here - http://www.howdark.com/poc/phpbb2010_hl.phps
(down as above, but included here as it was the original source, try
here http://www.k-otik.com/exploits/20041122.r57phpbb2010.pl.php )

* SNORT Rule is here - http://www.webservertalk.com/message554529.html

* If you got owned by this then your Christmas present is here
http://ysati.com hehe ;-P

With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Worm hitting PHPbb2 Forums L. Walker (Dec 21)
- Re: Worm hitting PHPbb2 Forums mark (Dec 21)
- Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
  - Re: Worm hitting PHPbb2 Forums lists (Dec 21)
    - Re: Worm hitting PHPbb2 Forums Chris Ess (Dec 21)
    - Re: Worm hitting PHPbb2 Forums lists (Dec 21)
    - Re: Worm hitting PHPbb2 Forums Barrie Dempster (Dec 21)
- <Possible follow-ups>
- RE: Worm hitting PHPbb2 Forums Christopher Adickes (Dec 21)
- RE: Worm hitting PHPbb2 Forums Mike (Dec 21)
  - RE: Worm hitting PHPbb2 Forums M. Shirk (Dec 22)