[37865] in bugtraq
WebWorm using PHPBB vulnerability in the wild!
daemon@ATHENA.MIT.EDU (Niki Denev)
Tue Dec 21 22:53:54 2004
Message-ID: <cone.1103586142.279819.30619.1001@niked.office.suresupport.com>
From: Niki Denev <nike_d@cytexbg.com>
To: bugtraq@securityfocus.com
Date: Tue, 21 Dec 2004 01:42:22 +0200
Mime-Version: 1.0
Content-Type: multipart/signed;
boundary="=_mimegpg-niked.office.suresupport.com-30619-1103586142-0001";
micalg=pgp-sha1; protocol="application/pgp-signature"
This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
--=_mimegpg-niked.office.suresupport.com-30619-1103586142-0001
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
There have been reports of WebWorm exploting PHPBB's urldecode
vulnerability.
The worm uses this to create a perl script on the server and start it.
After the perl script starts it wipes itself out, then begans to search
via google.com/advanced_search for exploitable viewtopic.php files part from
the vulnerable PHPBB distributions.
Then the worm replicates itself by using the vulnerability, and also
overwrites any files on the disk that it has permission to.
Machines running the worm script will have perl process with name 'm1ho2of'
running.
But this likely will change when the people start to notice it.
The possible solution is to patch or disable the vulnerable PHPBB
installations.
--niki
--=_mimegpg-niked.office.suresupport.com-30619-1103586142-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQBBx2NeHNAJ/fLbfrkRAjRSAKDO8QOcPzup+PulNke3TIN0SXcLAACeIssv
nrm+o7rSX3YgDuEgK7FZ7BE=
=ATdc
-----END PGP SIGNATURE-----
--=_mimegpg-niked.office.suresupport.com-30619-1103586142-0001--
