Packet-Filtering Malware;XMLRPC Vulnerabilities;phpBB highlight vulnerability;Fake MS Bulletins

Published: 2005-06-30
Last Updated: 2005-07-01 13:06:36 UTC
by Robert Danford (Version: 1)
0 comment(s)

Packet-Filtering Malware

We had some readers (thanks Steve) write in regarding a new malware strategy of filtering packets instead of mucking with the local hosts files

mentioned in the excellent F-Secure blog

and the full description here:

So instead of redirecting Anti-Virus sites to localhost (

and essentially preventing firewall and anti-virus updates from occurring,

it blocks the actual network traffic. Much harder to detect and troubleshoot.
I guess we need healthchecking in all of our Anti-Virus now, so the end user
can alerted if updates can't be retrieved (but I'm sure most users would really love
to have another pop-up warning window...)

XMLRPC Vulnerabilities (fixed)

James Bercegay wrote in regarding several security holes he discovered
in XMLRPC libraries for PHP:


Version 1.1 is vulnerable to remote code execution via
a careless eval call. The hole has been fixed and a patch is available.


Versions 1.3.0 and earlier are vulnerable to remote code
execution. The issue has been fixed and a patch is available.

These libraries are found in a number of applications such as

postnuke, drupal, TikiWiki, and b2evolution.

Advisory Info:

Thanks for the heads-up James and the excellent job working with the vendors and
the conscientious disclosure.


Some recent reports of click-fraud malware (Backdoor.Win32.DSSdoor.b)

Excellent technical writeup:

Reporting Phishing

If you have discovered phishing, here are some reporting links that may come in handy:

Reporting page:

Here is a resource for government reporting sites:

phpBB Highlight Vulnerability Re-introduced

We've had some folks writing in regarding snort signatures for the new phpBB vulnerability.

This vulnerability is an accidental re-introduction of the same bug

that existed in phpBB earlier than 2.0.11 and was (apparently) accidentally

reintroduced during work between 2.0.14 and 2.0.15. Existing snort

signatures {sourcefire sid:2229 and bleeding-snort sids:2001457, 2001557,

2001604, and 2001605} will detect the common exploits.

Also, a more generic treatment of this vulnerability is as follows:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (sid:2005063001; rev:1; \
msg:"[ISC] possible phpBB <= 2.0.15 code injection"; \
flow:to_server,established; \
uricontent:"viewtopic.php|3f|"; nocase; \
pcre:"/[?&]highlight=(.\.|%27%2E|%2527%252E)\S+\(/iU"; \
classtype:misc-attack; )

One Final Note: This is the bug that allowed Santy.A to work.

Windows Update Alternative

Alternative to Windows Update that many sysadmins may find useful (Thanks Matt):

For Windows 2000 SP4, WinXP SP1 and SP2 or Windows 2003 systems which have updated to the newest version of IE:

Fake Microsoft Security Bulletins Alert

A lot of reports have been streaming in regarding fake Microsoft Security Bulletins:
Which were recently mentioned here by Kevin Hong (
It is always best to use the standard methods of patch updates (Windows|Microsoft Update)
instead of relying on information or URLs provided in an email.
Especially at the current time where there is some confusion over the new Updater for XP (mentioned in yesterday's diary) and the Rollup patch for Windows 2000 SP4 which has been causing some issues in some environments. Just take a deep breath and double-check everything before executing code (updates, etc) as Administrator.

Robert Danford

ISC Handler of the Day
0 comment(s)


Diary Archives