The one instance of this I observed did the following: 1) got permissions of apache daemon by way of the viewtopic.php script 2) ran the server's wget to download http://www.packetstormsecurity.nl/DoS/udp.pl 3) pulled udp.pl down into /tmp, and ran, not sure how it got its list of ip. The quick and dirty work around to shut this off right away was to chmod wget down to 0, then go fix viewtopic.php . +------------------------- + Dave Dennis + Seattle, WA + dmd@speakeasy.org + http://www.dmdennis.com +------------------------- On Tue, 21 Dec 2004, cw wrote:
Does anyone have any more detail on exactly what this thing does after it gets into a system?
The cgi platform for a company I use has been hit and the effect is not just limited to phpBB, it seems to get into the server and then go through everything it can write to..
I lost a copy of UBB to this worm even though I don't rund phpBB off the same vhost.
Gonna be a nightmare for server ops to ensure that all client copies of phpBB are patched..