From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mike@fly.osdn.org.ua>
Date: Wed, 22 Dec 2004 09:59:04 +0200
From: Michael Shigorin <mike@osdn.org.ua>
To: community@altlinux.ru
Message-ID: <20041222075904.GP21009@osdn.org.ua>
Mail-Followup-To: community@altlinux.ru
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="UPT3ojh+0CqEDtpF"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
Subject: [Comm] Fwd: WebWorm using PHPBB vulnerability in the wild!
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: community@altlinux.ru
List-Id: Mailing list for ALT Linux users <community.altlinux.ru>
List-Unsubscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Archive: <http://lists.altlinux.ru/pipermail/community>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
X-List-Received-Date: Wed, 22 Dec 2004 07:59:15 -0000
Archived-At: <http://lore.altlinux.org/community/20041222075904.GP21009@osdn.org.ua/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>


--UPT3ojh+0CqEDtpF
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

FYI

----- Forwarded message from Niki Denev <nike_d cytexbg com> -----

Date: Tue, 21 Dec 2004 01:42:22 +0200
From: Niki Denev <nike_d cytexbg com>
To: bugtraq@
Subject: WebWorm using PHPBB vulnerability in the wild!

There have been reports of WebWorm exploting PHPBB's urldecode=20
vulnerability.
The worm uses this to create a perl script on the server and start it.
After the perl script starts it wipes itself out, then begans to search
via google.com/advanced_search for exploitable viewtopic.php files part fro=
m=20
the vulnerable PHPBB distributions.
Then the worm replicates itself by using the vulnerability, and also=20
overwrites any files on the disk that it has permission to.
Machines running the worm script will have perl process with name 'm1ho2of'=
=20
running.
But this likely will change when the people start to notice it.
The possible solution is to patch or disable the vulnerable PHPBB=20
installations.


--niki

----- End forwarded message -----

PS: grep 'GET /viewtopic.php.*system.*chr' /var/log/httpd/access_log=20
(=CE=D5 =C9=CC=C9 =C7=C4=C5 =CC=C5=D6=C9=D4), =D3=D5=C4=D1 =D0=CF =D4=CF=CD=
=D5, =DE=C5=CD =D0=D9=D4=C1=C0=D4=D3=D1 =C2=CF=CD=C2=C9=D4=D8 =CE=C1=D3.

--=20
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

--UPT3ojh+0CqEDtpF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBySlIbsPDprYMm3IRAn10AJ9qDR90H2bM0wUClrJK3mVunzJzLgCg1sR4
vLkACJf/W1vP7KpWYe8IZcg=
=Iw+J
-----END PGP SIGNATURE-----

--UPT3ojh+0CqEDtpF--