Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Phpbb include vuln scanning, via Google, generating new IRC botnet SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phpbb include vuln scanning, via Google, generating new IRC botnet
We have received two reports of systems being exploited via a phpbb include vulnerability and a "new" IRC bot is installed. Please update your files now. Phpbb forum support guru "Techie-Micheal" points out that "running update_to_latest.php on their install only updates the database (and is clearly stated in the documentation), files need to be updated seperately for which there are several methods".

The scanning is for phpbb versions 2.0.10 and under. The latest version of phpbb is 2.0.18.

Micheal also notes "- In past bots, the bots would run as an "SSL'ed Apache. This one is a bit different;

my $processo = '/usr/local/firewall'".

The new IRC bot scans for vulnerable systems using Google, when successful it announces that "oopz and sirh0t and Aleks g0t pwned u!", and has UDP flooding and UDP/ICMP/TCP scanning capabilities.

Responsible parties have been notified and acknowledged the issues.

Thanks Micheal, Reg, and anonymous!


#Shellbot by sirh0t & oopz a.k.a zer-0-day and Aleks PRIVATE!


my $processo = '/usr/local/firewall';




}      } else {
           if ($funcarg =~ /^portscan (.*)/) {
use IO::Socket; $hostip="$1";
use IO::Handle; @portas=("21","23","25","80","113","135","445","1
use Socket;0","6660","6661","6662","6663","6665","6666","6667","
use IO::Select;,"7000","8080");

193 Posts
Nov 10th 2005

Sign Up for Free or Log In to start participating in the conversation!