Subject: Re: [SLE] Is this for real?
On Saturday 25 December 2004 10:03, Anders Norrbring wrote:
Do anybody have any ideas on this e-mail? My admin inbox was full of these e-mails this morning, I don't know if they're for real, or what... Can someone please advice? There is one phpbb running on the server...
Are you running phpBB? If so, I'd get it upgraded. There is a worm running around that attacks a bug in it.
Yep, one of my hosting clients have a phpBB up and running, or correctly, HAD it up and running. I killed it for now. I posted in phpBB forums too, it's a vulnerability in PHP and phpBB that allows a worm named Perl.Santy to exploit the server. Related reading: http://news.zdnet.com/2100-1009_22-5499725.html?tag=nl.e589 I took his site offline and moved all his files out to tape for the time being, if my client can't fix it, he's out of the system... Thanks any way, and have a great rest of the holidays! Anders Norrbring Norrbring Consulting
HEADERS:
Return-Path:
Received: from mail.the-server.net ([unix socket]) by iris (Cyrus v2.1.15) with LMTP; Sat, 25 Dec 2004 00:50:24 +0100 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mail.the-server.net (Postfix) with ESMTP id D8D11CA8E; Sat, 25 Dec 2004 00:50:23 +0100 (CET) Received: from mail.the-server.net ([127.0.0.1]) by localhost (iris [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 13131-05-2; Sat, 25 Dec 2004 00:48:50 +0100 (CET) Received: by mail.the-server.net (Postfix, from userid 30) id 00F16C874; Sat, 25 Dec 2004 00:48:48 +0100 (CET) Date: Sat, 25 Dec 2004 00:48:48 +0100 To: postmaster, hostmaster, abuse, admin, root Subject: YOUR SERVER HAS BEEN HACKED Message-ID: <41CCAAE0.mailC4S112L68@iris.the-server.net> User-Agent: nail 10.5 4/27/03 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: wwwrun (WWW daemon apache) X-Virus-Scanned: by Kaspersky, NOD32 & F-Secure at the-server.net MESSAGE BODY:
YOUR SERVER HAS BEEN OWNED VIA PHPBB, PLEASE UPGRADE PHP AND PHPBB IMMEDIATELY
-- Powered by SuSE 9.2 Kernel 2.6.8 KDE 3.3.0 Kmail 1.7.1 For Mondo/Mindi backup support go to http://www.mikenjane.net/~mike 11:23am up 1:28, 3 users, load average: 2.75, 3.30, 3.38
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com