[37910] in bugtraq
Re: WebWorm using PHPBB vulnerability in the wild!
daemon@ATHENA.MIT.EDU (Nick Johnson)
Wed Dec 22 21:41:40 2004
Date: Wed, 22 Dec 2004 22:52:53 +1300
From: Nick Johnson <arachnid@notdot.net>
In-reply-to: <cone.1103586142.279819.30619.1001@niked.office.suresupport.com>
To: bugtraq@securityfocus.com
Message-id: <41C943F5.2050506@notdot.net>
MIME-version: 1.0
Content-type: text/plain; format=flowed; charset=ISO-8859-1
Content-transfer-encoding: 7bit
This is something that I've wondered about for a while: Given the issues
with it, why do the authors of nearly every webapp persist in putting
the full version number at the bottom of each page? This, coupled with
search engines indexing the pages provides a nice easy directory of
sites to hack, or in this case, to exploit with a worm.
Has there been an advisory to this effect?
-Nick Johnson
Niki Denev wrote:
> There have been reports of WebWorm exploting PHPBB's urldecode
> vulnerability.
> The worm uses this to create a perl script on the server and start it.
> After the perl script starts it wipes itself out, then begans to search
> via google.com/advanced_search for exploitable viewtopic.php files
> part from the vulnerable PHPBB distributions.
> Then the worm replicates itself by using the vulnerability, and also
> overwrites any files on the disk that it has permission to.
> Machines running the worm script will have perl process with name
> 'm1ho2of' running.
> But this likely will change when the people start to notice it.
> The possible solution is to patch or disable the vulnerable PHPBB
> installations.
>
>
> --niki
>
>------------------------------------------------------------------------
>
>!DSPAM:41c8ef2a143957632644158!
>
