Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Phpbb include vuln scanning, via Google, generating new IRC botnet - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phpbb include vuln scanning, via Google, generating new IRC botnet
We have received two reports of systems being exploited via a phpbb include vulnerability and a "new" IRC bot is installed. Please update your files now. Phpbb forum support guru "Techie-Micheal" points out that "running update_to_latest.php on their install only updates the database (and is clearly stated in the documentation), files need to be updated seperately for which there are several methods".

The scanning is for phpbb versions 2.0.10 and under. The latest version of phpbb is 2.0.18.

Micheal also notes "- In past bots, the bots would run as an "SSL'ed Apache. This one is a bit different;

my $processo = '/usr/local/firewall'".

The new IRC bot scans for vulnerable systems using Google, when successful it announces that "oopz and sirh0t and Aleks g0t pwned u!", and has UDP flooding and UDP/ICMP/TCP scanning capabilities.

Responsible parties have been notified and acknowledged the issues.

Thanks Micheal, Reg, and anonymous!

strings;
xxxxxxxxxxxxxxx

#Shellbot by sirh0t & oopz a.k.a zer-0-day and Aleks PRIVATE!
#VERY FAST SPREADING!!!! NO JOKING

xxxxxxxxxxxxxxx

my $processo = '/usr/local/firewall';

xxxxxxxxxxxxxxx

servidor='forum.unixirc.pl'
porta='81'

xxxxxxxxxxxxxxx

}      } else {
           if ($funcarg =~ /^portscan (.*)/) {
use IO::Socket; $hostip="$1";
use IO::Handle; @portas=("21","23","25","80","113","135","445","1
use Socket;0","6660","6661","6662","6663","6665","6666","6667","
use IO::Select;,"7000","8080");
Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!