With all the recent PHP and phpBB vulnerabilities over the last 6 months, it was really just a matter of time before someone released a scanning tool targeting bulletin boards. Several suspicious scans appeared in one of my webservers logs over the last few nights that looks automated (entire scan lasts about 6 seconds) and appears to be scouring for php forums. Here is an example scan:
Code:
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET /forum/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET /phpBB/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET / HTTP/1.1" 200 3852 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /forums/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /phpbb/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /board/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /boards/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /phpBB2/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /msgboard/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /foros/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /portal/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /discussion/ HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /nar/ HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /html/forum/ HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /html/forums/ HTTP/1.1" 404 210 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /Forum/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /Forums/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /bb/ HTTP/1.1" 404 201 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /ugboard/ HTTP/1.1" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /ugboards/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /newboard/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /newboards/ HTTP/1.1" 404 208 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpBB/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpBB2/ HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpbb/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /portal/forum/ HTTP/1.1" 404 211 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /portal/forums/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bbs/ HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bulletinboard/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bulletinboards/ HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET HTTP/1.1" 400 226 "-" "-"
For those running forums, especially with PHP/phpBB, it's highly recommended to make sure that you're using the most recent versions (for phpBB it's 2.0.13). Any info on the identity of this malware and what actions it takes if a bulletin board is found would be appreciated (especially if someone can get a packet dump of any exploit payloads).