[Comm] Fwd: WebWorm using PHPBB vulnerability in the wild!

[Michael Shigorin]

FYI

----- Forwarded message from Niki Denev <nike_d cytexbg com> -----

Date: Tue, 21 Dec 2004 01:42:22 +0200
From: Niki Denev <nike_d cytexbg com>
To: bugtraq@
Subject: WebWorm using PHPBB vulnerability in the wild!

There have been reports of WebWorm exploting PHPBB's urldecode 
vulnerability.
The worm uses this to create a perl script on the server and start it.
After the perl script starts it wipes itself out, then begans to search
via google.com/advanced_search for exploitable viewtopic.php files part from 
the vulnerable PHPBB distributions.
Then the worm replicates itself by using the vulnerability, and also 
overwrites any files on the disk that it has permission to.
Machines running the worm script will have perl process with name 'm1ho2of' 
running.
But this likely will change when the people start to notice it.
The possible solution is to patch or disable the vulnerable PHPBB 
installations.


--niki

----- End forwarded message -----

PS: grep 'GET /viewtopic.php.*system.*chr' /var/log/httpd/access_log 
(ну или где лежит), судя по тому, чем пытаются бомбить нас.

-- 
 ---- WBR, Michael Shigorin <mike на altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя     : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Тип     : application/pgp-signature
Размер  : 189 байтов
Описание: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url     : <http://lists.altlinux.org/pipermail/community/attachments/20041222/3468746a/attachment-0003.bin>