[76726] in North American Network Operators' Group
Re: Sanity worm defaces websites using php bug
daemon@ATHENA.MIT.EDU (Gadi Evron)
Tue Dec 21 16:43:17 2004
Date: Tue, 21 Dec 2004 23:50:30 +0200
From: Gadi Evron <ge@linuxbox.org>
To: Dan Hollis <goemon@anime.net>
Cc: "Fergie (Paul Ferguson)" <fergdawg@netzero.net>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0412211155280.14470-100000@sasami.anime.net>
Errors-To: owner-nanog-outgoing@merit.edu
Dan Hollis wrote:
> On Tue, 21 Dec 2004, Fergie (Paul Ferguson) wrote:
>
>>These people don't waste much time when a new exploit
>>found, do they? Geez.
>> http://isc.sans.org/diary.php?date=2004-12-21
>
>
> Its exploiting a bug in old versions of phpbb, it's not using the recent
> php exploit.
>
> -Dan
It isn't very blatant about it either. I allow myself to quote *only*
the following from the source to help you make sure it is the actual
worm that got you or your users.
It is written in perl.
Size: 4.87 KB (4,996 bytes).
MD5: 4ad08373aaa7c96ad8ab4b93df4fd4a0
Safe source (HTML generation only) sample:
....
my $s = q{<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD><BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
....
Gadi.
