Page 1 of 1

Irritating worm uses phpBB vulnerabity to "deface"

Posted: Wed Dec 22, 2004 3:08 pm
by Jorg
Hi guys,

I have read all over the net that there is some kind of worm active that exploits a PHP / phpBB flaw. You can read about it here; ... ag=nl.e589

I will look into upgrading the site, but in the meantime I have made a site-wide copy of the phpBB scripts that can be restored the moment something goes wrong, and I also backup the site database on a daily base.

If the site is being attacked and I am not yet aware of it, send an email to me: [email protected]

- Jorgen

Posted: Wed Dec 22, 2004 5:09 pm
by tierra
I believe it's a worm that exploits the latest PHP exploit that was patched and fixed in 4.3.10 and 5.0.3. The worm consists of some Perl code that looks for any .html files on the server, and replaces the contents with some defacement info including worm generation, then continues to Google search for more websites to hack. So basically, if you have no .html files, then you probably haven't lost anything, however, that doesn't mean you haven't been infected either. If you've got shell access, executing this search on your Apache access log should indicate if you've been targeted at least, and if you didn't patch before that access, you were most likely hit:

Code: Select all

grep 252echr access_log | wc -l
Being this is a more popular forum, I wouldn't doubt your rank in Google is high thus making your chances of being a target much greater. I'm under the impression that simply patching PHP will stop any further hits from doing any harm, there's nothing left behind that I've heard of that you need to clean off.

Posted: Wed Dec 22, 2004 5:32 pm
by Jorg
Hi Tierra,

Thanks for the info. Unfortunately I cannot patch PHP my site is hosted by a hosting company, and I have no access to the PHP install. I don't know if patching the phpbb to version 2.0.11 will do any good (we are now on 2.0.10), but I will keep an eye on this. Let's just hope we are not hit by this worm anytime in the near future...

- Jorgen

Posted: Wed Dec 22, 2004 7:05 pm
by cg
You should consider upgrading jorg. Have a look at this article:


Posted: Wed Dec 22, 2004 9:35 pm
by Jorg
Sounds indeed serious. I will try to do this before xmas, or shortly after it. Thanks for pointing it out!

- Jorgen