If you run phpBB, you are probably familiar with bots attempting to attack your sites. Typically, you will find entries in your web log like the following:
viewtopic.php? [...] &highlight=%2527%252esystem(chr(99)%252echr [...] I omited the long string of URL encoded hex characters. If you run phpBB, grep your Apache access log for 'viewtopic.php', 'highlight' and 'system': grep viewtopic < access_log | grep highlight | grep system Now the part you are interested in is what is attempted to be executed as part of the "system" call. In order to quickly decode it, use php's "urldecode" function. Just open a shell, and enter: $ php -e Make sure you do not copy any quotes. This will likely reveal an ftp command and with that the location of the actual bot code. Let us know what you find. I posted a quick analysis of a typical phpBB bot here Important: a few users reported Antivirus alerts after clicking this URL. Since it quotes parts from the bot, it likely triggers some signatures. However, the page wil not execute any malware (trust me ;-) ) These bots typically work all very much alike:
Couple simple counter measures to keep in mind:
I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020 |
Johannes 3693 Posts ISC Handler |
Subscribe |
Apr 19th 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!