On Dec 23, 2004, at 2:30 AM, Pádraic Brady wrote:
Recently a worm has been assailing the web (using
Google to search out
new victims). I had MediaWiki installed alongside phpBB on PHP 4.3.9.
After PHP released 4.1.10 (which was duly installed by my host) the
worm began making the rounds. phpBB was the primary target - luckily
phpBB released a patched version to block any potential attack by the
worm.
phpBB release a patched version over a month ago. :P AFAIK there's not
a specific PHP vulnerability related to the worm (though there are
other problems w/ 4.3.9).
Unfortunately even with PHP 4.1.10, and the new phpBB
- MediaWiki is
being hit hard. It's the only PHP application effected on my server.
Here's the worm's message which it leaves behind:
This site is defaced!!!
NeverEverNoSanity WebWorm generation 25.
[pear_error: message="Template function
'tpl_0_7_0_d709070e8418c9bc7d313434ecea7226' not found (template
source : /home/groups/e/es/esun/htdocs/wiki/templates/xhtml_slim.pt"
code=0 mode=return level=notice prefix="" info=""]
It looks like the compiled template file was corrupted by the phpBB
worm. Normally the file contains a function definition: when the
function is called it writes out the HTML template. When hacked, it
prints out the hack text at the time it's included, and then there's no
function to call and you get the error message above.
Assuming the vulnerable sites on the server have been removed, you
should be able to clean this up: remove the file (normally in /tmp,
named something like tpl_0_7_0_d709070e8418c9bc7d313434ecea7226.php)
and let it be regenerated.
If vulnerable phpBB isntallations remain on your server, it may just
get corrupted again. Switch the default skin to the old 'standard' one
which doesn't require the template, and change any
'apache'/'nobody'-owned or -writable files to your own account and
non-world-writable until it's cleaned up.
-- brion vibber (brion @
pobox.com)