HOME > VIRUS ALERTS


   VIRUS ALERTS

Perl.Lekbot.B

Original issue date: June 26, 2006

It has been observed that the worm known as Perl.Lekbot.B is in the wild exploiting the phpBB Viewtopic.PHP PHP Script Injection Vulnerability ( BID 10701 ). The worm also opens a backdoor on the compromised system to listen for the remote attacker commands.

Upon execution the worm

  • Search for the new target system that can be exploited by “Viewtopic.PHP” PHP Script Injection Vulnerability ( BID 10701 ) with the help of Google search engine.
  • Download the malicious file from an internet server and loads into the remote /tmp directory by exploiting the web page running the phpBB.
  • Opens a backdoor on the compromised system and listens on port 6667 to connect to an IRC server. The remote attacker could give commands for DDoS attack, port scanning, executing shell commands or for other IRC commands.

Since the worm is targeting vulnerable phpBB installation on systems, administrators and users are advised to

  • Keep their antivirus signatures up-to-date.
  • Upgrade to the latest version of phpBB software.
  • Apply appropriate patches to the systems with phpBB web applications running.
  • Make /tmp a non-executable partition (and link /usr/tmp and /var/tmp to it).
  • Block outbound ftp/web traffic from your web server.
  • If possible run chrooted apache.
  • Use mod_security.

References:

http://symantec.com/avcenter/venc/data/perl.lekbot.b.html
http://www.frsirt.com/english/virus/2006/04853
http://www.esecurityplanet.com/alerts/
http://www.securitymob.com/my_smob/alert_info.asp?alert=39236 http://www.securityfocus.com/bid/10701

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003