Mailing List Archive: Gentoo: Security

Possible apache2/php 4.3.9 worm

Index | Next | Previous | View Threaded

aschultz at echo-inc

Dec 21, 2004, 8:32 AM

Post #1 of 5 (724 views)
Permalink

Possible apache2/php 4.3.9 worm

Some of the sites I administer were alledgedly hit by a worm last night.
It overwrote all .php/.html files that were owner writable and owned by
apache. The worm put the following html in place of what was there:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
</BODY>
</HTML>

We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
this before? Also is there anything I should be aware of such as a
possible binary that may have been dropped? Could this have been
accomplised by the upload path traversal vulnerability? Google returns
nothing.

Thanks
-Alex Schultz

--
gentoo-security [at] gentoo mailing list

peter.hinse at web

Dec 21, 2004, 8:45 AM

Post #2 of 5 (695 views)
Permalink

Re: Possible apache2/php 4.3.9 worm [In reply to]

Alex Schultz wrote:
> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache. The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML>
> <HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD>
> <BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before? Also is there anything I should be aware of such as a
> possible binary that may have been dropped? Could this have been
> accomplised by the upload path traversal vulnerability? Google returns
> nothing.

According to http://www.heise.de/security/news/meldung/54504 (in
German), it's an exploit for phpBB - have a look at
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 for a fix.

--
gentoo-security [at] gentoo mailing list

gymer at odense

Dec 21, 2004, 8:45 AM

Post #3 of 5 (689 views)
Permalink

Re: Possible apache2/php 4.3.9 worm [In reply to]

Try looking at: http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml

Thats one possibility, another is that you allow upload and someone have
uploaded a script at that did it. (I have seen it before).

Check all the setting in php.ini and make restriction as thight as possible

/gymer

> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache. The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML>
> <HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD>
> <BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before? Also is there anything I should be aware of such as a
> possible binary that may have been dropped? Could this have been
> accomplised by the upload path traversal vulnerability? Google returns
> nothing.
>
>
> Thanks
> -Alex Schultz
>
>
> --
> gentoo-security [at] gentoo mailing list
>
>

--
Lasse B, Jensen

--
gentoo-security [at] gentoo mailing list

klaus.kusche at inode

Dec 21, 2004, 8:47 AM

Post #4 of 5 (691 views)
Permalink

Re: Possible apache2/php 4.3.9 worm [In reply to]

Alex Schultz wrote:
> Some of the sites I administer were alledgedly hit by a worm last night.
> It overwrote all .php/.html files that were owner writable and owned by
> apache. The worm put the following html in place of what was there:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML>
> <HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD>
> <BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 17.</b></ADDRESS>
> </BODY>
> </HTML>
>
> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted
> this before? Also is there anything I should be aware of such as a
> possible binary that may have been dropped? Could this have been
> accomplised by the upload path traversal vulnerability? Google returns
> nothing.
>
> Thanks
> -Alex Schultz
>
> --
> gentoo-security [at] gentoo mailing list

The german computer magazine c't just had an article about it on its web
news: http://www.heise.de/newsticker/meldung/54504 (in German)

It refers to http://www.phpbb.de/viewtopic.php?t=73427 (also German) and
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

It is a worm, exploiting a known bug in phpBB.

--
DI. Dr. Klaus Kusche
Email: Klaus.Kusche [at] inode WWW: http://members.inode.at/kusche
Phone @ home: +43 7234 83894
Private address: Buchenweg 15, A-4100 Ottensheim, Austria

--
gentoo-security [at] gentoo mailing list

gentoo at triller-online

Dec 21, 2004, 8:59 AM

Post #5 of 5 (691 views)
Permalink

Re: Possible apache2/php 4.3.9 worm [In reply to]

Hi,

Am Dienstag, 21. Dezember 2004 16:32 schrieb Alex Schultz:
> Some of the sites I administer were alledgedly hit by a worm last night.

[worm stripped]

> We were running apache 2.0.52 and php 4.3.9. Have any of you encounted

Please upgrade your PHP to 4.3.10 there is a big security hole in versions
below. This might be your problem.

Stefan

PS: This could be a funny xmas with such a worm :-)

--
gentoo-security [at] gentoo mailing list

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads