Sanity worm defaces websites using php bug
These people don't waste much time when a new exploit found, do they? Geez. http://isc.sans.org/diary.php?date=2004-12-21 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net
On Tue, 21 Dec 2004, Fergie (Paul Ferguson) wrote:
These people don't waste much time when a new exploit found, do they? Geez. http://isc.sans.org/diary.php?date=2004-12-21
Its exploiting a bug in old versions of phpbb, it's not using the recent php exploit. -Dan
Does anyone have any more detail on exactly what this thing does after it gets into a system? The cgi platform for a company I use has been hit and the effect is not just limited to phpBB, it seems to get into the server and then go through everything it can write to.. I lost a copy of UBB to this worm even though I don't rund phpBB off the same vhost. Gonna be a nightmare for server ops to ensure that all client copies of phpBB are patched..
The one instance of this I observed did the following: 1) got permissions of apache daemon by way of the viewtopic.php script 2) ran the server's wget to download http://www.packetstormsecurity.nl/DoS/udp.pl 3) pulled udp.pl down into /tmp, and ran, not sure how it got its list of ip. The quick and dirty work around to shut this off right away was to chmod wget down to 0, then go fix viewtopic.php . +------------------------- + Dave Dennis + Seattle, WA + dmd@speakeasy.org + http://www.dmdennis.com +------------------------- On Tue, 21 Dec 2004, cw wrote:
Does anyone have any more detail on exactly what this thing does after it gets into a system?
The cgi platform for a company I use has been hit and the effect is not just limited to phpBB, it seems to get into the server and then go through everything it can write to..
I lost a copy of UBB to this worm even though I don't rund phpBB off the same vhost.
Gonna be a nightmare for server ops to ensure that all client copies of phpBB are patched..
cw wrote:
Does anyone have any more detail on exactly what this thing does after it gets into a system?
Check *any* AV web site.
The cgi platform for a company I use has been hit and the effect is not just limited to phpBB, it seems to get into the server and then go through everything it can write to..
Naturally. This can teach you a few lessons, ranging from, but not limited to: 1. Using packages that have a heigher rate of disclosed vulnerabilities than.... 2. Using packages that demand certain privileges. 3. Not limiting privileges. 4. Not patching.
I lost a copy of UBB to this worm even though I don't rund phpBB off the same vhost.
Gonna be a nightmare for server ops to ensure that all client copies of phpBB are patched..
It shouldn't be a nightmare for people to do proper patching, especially when it is not a client application at all (I got what you meant..). A few months ago I heard and later made a joke about creating a random program that will build fake PHP applications advisories and email them to bugtraq daily. That's pretty much how it looks like today, as it is. This worm is finite, it won't last virtually forever like some other worms. I haven't looked at it yet, but my bet would be most of its harm is overhead of wasted traffic. Gadi.
----- Original Message ----- From: "cw" <nanog@fidei.co.uk> To: <nanog@merit.edu> Sent: Tuesday, December 21, 2004 3:47 PM Subject: Re: Sanity worm defaces websites using php bug
Gonna be a nightmare for server ops to ensure that all client copies of phpBB are patched..
it is as simple as find /$dir_where_your_vhosts_live -name viewtopic.php and a very straightforward sed on the results. -p
Dan Hollis wrote:
On Tue, 21 Dec 2004, Fergie (Paul Ferguson) wrote:
These people don't waste much time when a new exploit found, do they? Geez. http://isc.sans.org/diary.php?date=2004-12-21
Its exploiting a bug in old versions of phpbb, it's not using the recent php exploit.
-Dan
It isn't very blatant about it either. I allow myself to quote *only* the following from the source to help you make sure it is the actual worm that got you or your users. It is written in perl. Size: 4.87 KB (4,996 bytes). MD5: 4ad08373aaa7c96ad8ab4b93df4fd4a0 Safe source (HTML generation only) sample: .... my $s = q{<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>This site is defaced!!!</TITLE> </HEAD><BODY bgcolor="#000000" text="#FF0000"> <H1>This site is defaced!!!</H1> <HR> .... Gadi.
Fergie (Paul Ferguson) wrote:
These people don't waste much time when a new exploit found, do they? Geez.
As a friend of mine just said.. good times! http://www.google.com/search?q=NeverEverNoSanity Gadi.
participants (6)
-
cw -
Dan Hollis -
Dave Dennis -
Fergie (Paul Ferguson) -
Gadi Evron -
Paul G