showthread attack attempt?

**Floris** · Fri 24 Dec '04, 12:48pm

If you are not running vBulletin 3.0.3 I suggest to upgrade.
I don't know for which version that worm exploit is.
If you allow HTML for users in private msgs, posts, signatures, etc .. turn it off.
Change your admin & staff account passwords. Add .htaccess directory password protection to your admincp/ and modcp/ directories.

**tamarian** · Fri 24 Dec '04, 1:36pm

Originally posted by Floris

If you are not running vBulletin 3.0.3 I suggest to upgrade.
I don't know for which version that worm exploit is.
If you allow HTML for users in private msgs, posts, signatures, etc .. turn it off.
Change your admin & staff account passwords. Add .htaccess directory password protection to your admincp/ and modcp/ directories.

We're fine version wise.

However, this seems to be an agressive worm, as I'm getting many such hits, from various IP's.

Just checking if others noticed this in their logs. The worm seems to traverse different php files, even non vB, so it must be a bot of some sort.

**Floris** · Fri 24 Dec '04, 1:40pm

It could be that phpBB worm thinking your forum is phpBB

**Scott MacVicar** · Fri 24 Dec '04, 1:53pm

Its actually just someone scanning for an exploit, they pass in a big long chain of commands to every paramater and then monitor the url to see if anything actually loads it, if so then they've found a vulnerable system.

I'd ban the IP that its originating from and possibly notify the server owner as it may be a compromised system thats doing it.

**Floris** · Fri 24 Dec '04, 1:55pm

There are 250+ worms trying vbulletin.com right now

**Steve Machol** · Fri 24 Dec '04, 1:59pm

You should share that IP address so tohers can ban it as well.

**Zachery** · Fri 24 Dec '04, 2:10pm

My own server was attacked, however someone on my server is running phpbb but it is the latest we still were attacked somehow :/

**Streicher** · Fri 24 Dec '04, 3:29pm

I have also found several attacks on our server. It is our own server and no phpbb is running. Only IP Adress is from ibm.com and found another one. There are maybe more. If I open the IP with my browser I get "spykids ownz your server".

They are using: lwp-trivial/1.36 and LWP::Simple/5.69

They are also trying the forumarchive.

**Floris** · Fri 24 Dec '04, 3:31pm

Those are compromised servers trying to attack & infect more servers (hence why they are called worms).

**Streicher** · Fri 24 Dec '04, 3:48pm

The attacks starts at 22.00 GMT +1. Since then our logs have entries for every second. I am trying to block the useragent with htaccess.

**tamarian** · Fri 24 Dec '04, 4:43pm

For those who want them, here are the IP's so far in my logs

66.195.243.169
65.218.1.33
66.98.130.11
62.173.67.69
67.19.176.50
66.194.153.19
70.84.28.36
66.98.246.86
202.177.16.60
70.84.3.4
202.177.16.60
70.84.3.4
202.167.234.151
209.51.138.226
66.227.8.82
207.44.238.19
217.160.177.230
69.93.20.146
207.44.238.19
65.98.56.138
206.123.74.180
66.78.4.130
69.44.153.30
67.18.93.194

**Scott MacVicar** · Fri 24 Dec '04, 5:01pm

It appears to be some people trying to build a botnet, all of those IP's are from compromised servers.

http://www.infernonix.com/bot.GIF

I joined IRC and had a look about.

**Scott MacVicar** · Fri 24 Dec '04, 5:13pm

Had a look at the worm, its generic.

$procura = 'inurl:*.php?*=' . $numr;

so its not going to affect us though you might see alot of extra traffic going about, nothing we can really do about that.

**AWS** · Fri 24 Dec '04, 5:50pm

Worm located at http://www.visualcoders.net/spy.gif.
The coding leaves much to be desired. I saw 3 errors in the perl code so even if they were successful in writing the files to your server the perl script would error out.
You know the thing that bothers me is that someone will code a worm that will work and exploit one of the holes in php. There are many unpatched boxes and a worm that exploits them could shutdown many sites.

showthread attack attempt?

showthread attack attempt?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment