SANS: phpBB bots/worms

If you run phpBB, you are probably familiar with bots attempting to attack your sites. Typically, you will find entries in your web log like the following:

viewtopic.php? [...] &\1highlight=%2527%252esystem(chr(99)%252echr [...]

I omited the long string of URL encoded hex characters. If you run phpBB, grep your Apache access log for 'viewtopic.php', 'highlight' and 'system':

grep viewtopic < access_log | grep highlight | grep system

Now the part you are interested in is what is attempted to be executed as part of the "system" call. In order to quickly decode it, use php's "urldecode" function. SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Linked by shanmuga Saturday, 22nd April 2006 3:26AM