From: Mister Coffee (live4javastormcenter.net)
Date: Mon Apr 25 2005 - 15:16:53 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ran into some unusual behavior the other day one one of the servers I
maintain. Checking through the logs and files I encountered some hits
that looked remarkably like the phpBB2 exploits that have been in
circulation, and a directory in /var/tmp called /var/tmp/.sgurz which
had 36 files named boink.nn (boink through boink.36). The files
appeared to be very slight variants on the same worm.

Eg:

Variant 1:
#############################################################
# Developed by br0k3d #
# For educational purpose only #
# Based ( almost ripped ) at ASW Worm! #
# Just made it fo study perl ;) #
# 2nd Version - Fuckz Google #
# => br0k3dgmail.com <= #
#############################################################

Variant 2:
#############################################################
# Developed by br0k3d #
# For educational purpose only #
# Based ( almost ripped ) at ASW Worm! #
# Just made it fo study perl ;) #
# 2nd Version - Fuckz Google #
# 3rd Version - modernbill version (was phpbb) from tillo #
# => you can find me <= #
#############################################################

Cleanup was straightforward. The system was infected for about 12 hours
before it was noticed and eradicated. All files were dropped in
/var/tmp and the site that was hosting the worm source was off the air
by the time I found the infection. I'm curious if anyone's seen this
variant in the wild.

Cheers,
L4J

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]