BugTraq
phpBB Worm Dec 20 2004 11:51PM
Shannon Lee (shannon webhostworks net) (3 replies)
Re: phpBB Worm Dec 22 2004 03:21PM
Alexander Klimov (alserkli inbox ru)
Re: phpBB Worm Dec 21 2004 10:28PM
Raymond Dijkxhoorn (raymond prolocation net) (2 replies)
Hi!

> After some investigation, we determined that the attacker had gained
> access via phpbb in a series of crafted URL requests, like so:
>
> 64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
> /viewtopic.php?p=9002&sid=f5
> 399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)
%252echr
> (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr
(97)),ch
> r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252
echr(47)
> %252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(
101)%252
> echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101
)%252ech
> r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
> OMITTED.com/

If you cannot fix it (virtual servers) fast for all your clients you could
also try with something like this:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ - [F]

We had some vhosts where this worked just fine. On our systems we didnt
see any valid request with echr and esystem, just be gentle with it, it
works for me, it could work for you ;)

Bye,
Raymond.

[ reply ]
Re: phpBB Worm Dec 23 2004 12:59PM
Anders Henke (anders schlund de)
Re: phpBB Worm Dec 22 2004 11:22AM
Sebastian Wiesinger (bofh fire-world de) (1 replies)
Re: phpBB Worm Dec 22 2004 11:34PM
William Geoghegan (w geoghegan geotekcs co uk)
RE: phpBB Worm Dec 21 2004 08:11PM
Paul Kurczaba (paul myipis com)


 

Privacy Statement
Copyright 2010, SecurityFocus