North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Sanity worm defaces websites using php bug

  • From: Dave Dennis
  • Date: Tue Dec 21 16:19:16 2004

The one instance of this I observed did the following:

1) got permissions of apache daemon by way of the viewtopic.php script

2) ran the server's wget to download
http://www.packetstormsecurity.nl/DoS/udp.pl

3) pulled udp.pl down into /tmp, and ran, not sure how it got its list of ip.

The quick and dirty work around to shut this off right away was to chmod
wget down to 0, then go fix viewtopic.php .



+-------------------------
+ Dave Dennis
+ Seattle, WA
+ [email protected]
+ http://www.dmdennis.com
+-------------------------

On Tue, 21 Dec 2004, cw wrote:

>
> Does anyone have any more detail on exactly what this thing does after
> it gets into a system?
>
> The cgi platform for a company I use has been hit and the effect is
> not just limited to phpBB, it seems to get into the server and then go
> through everything it can write to..
>
> I lost a copy of UBB to this worm even though I don't rund phpBB off
> the same vhost.
>
> Gonna be a nightmare for server ops to ensure that all client copies
> of phpBB are patched..
>
>