| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.61.0412212325470.1764@mailbox.prolocation.net>
Date: Tue, 21 Dec 2004 23:28:42 +0100 (CET)
From: Raymond Dijkxhoorn <raymond@...location.net>
To: Shannon Lee <shannon@...hostworks.net>
Cc: bugtraq@...urityfocus.com
Subject: Re: phpBB Worm
Hi!
> After some investigation, we determined that the attacker had gained
> access via phpbb in a series of crafted URL requests, like so:
>
> 64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
> /viewtopic.php?p=9002&sid=f5
> 399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr
> (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch
> r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)
> %252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252
> echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech
> r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
> OMITTED.com/
If you cannot fix it (virtual servers) fast for all your clients you could
also try with something like this:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ - [F]
We had some vhosts where this worked just fine. On our systems we didnt
see any valid request with echr and esystem, just be gentle with it, it
works for me, it could work for you ;)
Bye,
Raymond.
Powered by blists - more mailing lists