Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
Possible apache2/php 4.3.9 worm
aschultz at echo-inc
Dec 21, 2004, 8:32 AM
Post #1 of 5 (1658 views)
Permalink
Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache. The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before? Also is there anything I should be aware of such as a
possible binary that may have been dropped? Could this have been
accomplised by the upload path traversal vulnerability? Google returns
nothing.


Thanks
-Alex Schultz


--
gentoo-security@gentoo.org mailing list
Re: Possible apache2/php 4.3.9 worm [ In reply to ]
peter.hinse at web
Dec 21, 2004, 8:45 AM
Post #2 of 5 (1621 views)
Permalink
Alex Schultz wrote:
> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache. The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML>
> <HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD>
> <BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before? Also is there anything I should be aware of such as a
> possible binary that may have been dropped? Could this have been
> accomplised by the upload path traversal vulnerability? Google returns
> nothing.

According to http://www.heise.de/security/news/meldung/54504 (in
German), it's an exploit for phpBB - have a look at
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 for a fix.

--
gentoo-security@gentoo.org mailing list
Re: Possible apache2/php 4.3.9 worm [ In reply to ]
gymer at odense
Dec 21, 2004, 8:45 AM
Post #3 of 5 (1616 views)
Permalink
Try looking at: http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml

Thats one possibility, another is that you allow upload and someone have
uploaded a script at that did it. (I have seen it before).

Check all the setting in php.ini and make restriction as thight as possible

/gymer


> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache. The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML>
> <HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD>
> <BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before? Also is there anything I should be aware of such as a
> possible binary that may have been dropped? Could this have been
> accomplised by the upload path traversal vulnerability? Google returns
> nothing.
>
>
> Thanks
> -Alex Schultz
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Lasse B, Jensen

--
gentoo-security@gentoo.org mailing list
Re: Possible apache2/php 4.3.9 worm [ In reply to ]
klaus.kusche at inode
Dec 21, 2004, 8:47 AM
Post #4 of 5 (1609 views)
Permalink
Alex Schultz wrote:
> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache. The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML>
> <HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD>
> <BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before? Also is there anything I should be aware of such as a
> possible binary that may have been dropped? Could this have been
> accomplised by the upload path traversal vulnerability? Google returns
> nothing.
>
> Thanks
> -Alex Schultz
>
> --
> gentoo-security@gentoo.org mailing list

The german computer magazine c't just had an article about it on its web
news: http://www.heise.de/newsticker/meldung/54504 (in German)

It refers to http://www.phpbb.de/viewtopic.php?t=73427 (also German) and
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

It is a worm, exploiting a known bug in phpBB.

--
DI. Dr. Klaus Kusche
Email: Klaus.Kusche@inode.at WWW: http://members.inode.at/kusche
Phone @ home: +43 7234 83894
Private address: Buchenweg 15, A-4100 Ottensheim, Austria

--
gentoo-security@gentoo.org mailing list
Re: Possible apache2/php 4.3.9 worm [ In reply to ]
gentoo at triller-online
Dec 21, 2004, 8:59 AM
Post #5 of 5 (1616 views)
Permalink
Hi,

Am Dienstag, 21. Dezember 2004 16:32 schrieb Alex Schultz:
> Some of the sites I administer were alledgedly hit by a worm last night.

[worm stripped]

> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted

Please upgrade your PHP to 4.3.10 there is a big security hole in versions
below. This might be your problem.

Stefan

PS: This could be a funny xmas with such a worm :-)

--
gentoo-security@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal