Sanity worm defaces websites using php bug

• Previous message (by thread): Sanity worm defaces websites using php bug
• Next message (by thread): Sanity worm defaces websites using php bug
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The one instance of this I observed did the following:

1) got permissions of apache daemon by way of the viewtopic.php script

2) ran the server's wget to download
http://www.packetstormsecurity.nl/DoS/udp.pl

3) pulled udp.pl down into /tmp, and ran, not sure how it got its list of ip.

The quick and dirty work around to shut this off right away was to chmod
wget down to 0, then go fix viewtopic.php .



+-------------------------
+ Dave Dennis
+ Seattle, WA
+ dmd at speakeasy.org
+ http://www.dmdennis.com
+-------------------------

On Tue, 21 Dec 2004, cw wrote:

>
> Does anyone have any more detail on exactly what this thing does after
> it gets into a system?
>
> The cgi platform for a company I use has been hit and the effect is
> not just limited to phpBB, it seems to get into the server and then go
> through everything it can write to..
>
> I lost a copy of UBB to this worm even though I don't rund phpBB off
> the same vhost.
>
> Gonna be a nightmare for server ops to ensure that all client copies
> of phpBB are patched..
>
>

• Previous message (by thread): Sanity worm defaces websites using php bug
• Next message (by thread): Sanity worm defaces websites using php bug
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]