Sanity worm defaces websites using php bug

• Previous message (by thread): Sanity worm defaces websites using php bug
• Next message (by thread): Sanity worm defaces websites using php bug
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan Hollis wrote:
> On Tue, 21 Dec 2004, Fergie (Paul Ferguson) wrote:
> 
>>These people don't waste much time when a new exploit
>>found, do they? Geez.
>> http://isc.sans.org/diary.php?date=2004-12-21
> 
> 
> Its exploiting a bug in old versions of phpbb, it's not using the recent 
> php exploit.
> 
> -Dan

It isn't very blatant about it either. I allow myself to quote *only* 
the following from the source to help you make sure it is the actual 
worm that got you or your users.

It is written in perl.

Size: 4.87 KB (4,996 bytes).

MD5: 4ad08373aaa7c96ad8ab4b93df4fd4a0

Safe source (HTML generation only) sample:

....
     my $s = q{<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD><BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
....

	Gadi.

• Previous message (by thread): Sanity worm defaces websites using php bug
• Next message (by thread): Sanity worm defaces websites using php bug
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]