From: Michael Shigorin <mike@osdn.org.ua>
To: community@altlinux.ru
Subject: [Comm] Fwd: WebWorm using PHPBB vulnerability in the wild!
Date: Wed, 22 Dec 2004 09:59:04 +0200
Message-ID: <20041222075904.GP21009@osdn.org.ua> (raw)
[-- Attachment #1: Type: text/plain, Size: 1224 bytes --]
FYI
----- Forwarded message from Niki Denev <nike_d cytexbg com> -----
Date: Tue, 21 Dec 2004 01:42:22 +0200
From: Niki Denev <nike_d cytexbg com>
To: bugtraq@
Subject: WebWorm using PHPBB vulnerability in the wild!
There have been reports of WebWorm exploting PHPBB's urldecode
vulnerability.
The worm uses this to create a perl script on the server and start it.
After the perl script starts it wipes itself out, then begans to search
via google.com/advanced_search for exploitable viewtopic.php files part from
the vulnerable PHPBB distributions.
Then the worm replicates itself by using the vulnerability, and also
overwrites any files on the disk that it has permission to.
Machines running the worm script will have perl process with name 'm1ho2of'
running.
But this likely will change when the people start to notice it.
The possible solution is to patch or disable the vulnerable PHPBB
installations.
--niki
----- End forwarded message -----
PS: grep 'GET /viewtopic.php.*system.*chr' /var/log/httpd/access_log
(ну или где лежит), судя по тому, чем пытаются бомбить нас.
--
---- WBR, Michael Shigorin <mike@altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2004-12-22 7:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-22 7:59 Michael Shigorin [this message]
2004-12-22 8:15 ` Denis Kirienko
2004-12-22 8:53 ` [Comm] " Michael Shigorin
2004-12-22 9:11 ` Mikhael Korneev
2004-12-22 13:04 ` Denis Kirienko
2004-12-22 13:36 ` Konstantin A. Lepikhov
2004-12-22 13:54 ` Denis Kirienko
2004-12-22 14:08 ` Michael Shigorin
2004-12-22 14:35 ` Konstantin A. Lepikhov
2004-12-22 14:48 ` Denis Kirienko
2004-12-22 12:52 ` Re[2]: [Comm] " Dmitry Vodennikov
2004-12-22 13:38 ` Konstantin A. Lepikhov
2004-12-23 5:13 ` Re[4]: " Dmitry Vodennikov
2004-12-23 9:23 ` [Comm] " Michael Shigorin
2004-12-23 10:58 ` Dmitry Vodennikov
2004-12-23 14:48 ` Michael Shigorin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041222075904.GP21009@osdn.org.ua \
--to=mike@osdn.org.ua \
--cc=community@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git