• Registered: 2007-12-03
  • Posts: 12

Topic: Snort is snorting

That what it is meant to do, of cource, and now it as come up with a lot of stuff, an example here:

Generated by BASE v1.3.8 (jodie) on Thu, 17 Jan 2008 23:20:02 +0100

"1", "110", "2008-01-14 23:00:07", "91.149.11.205", "1422", "192.168.0.103", "80",
"[nessus/11767] [cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [local/2229]
[snort/2229]  WEB-PHP viewtopic.php access"

WEB-PHP? Not me, I'm running punBB : (and no backup directories smile ):

"     PunBB 1.2.16 - Check for upgrade
    © Copyright 2002, 2003, 2004, 2005 Rickard Andersson
Environment
    Operating system: Linux
    PHP: 5.1.2 - Show info
    Accelerator: N/A
Database
    MySQL 5.0.22-Debian_0ubuntu6.06.6-log"

but, the name viewtopic.php sounds familiar...

So, is this just a snort in the air, og is it a genuine attack? Can anyone help me out on this?

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Snort is snorting

http://www.webservertalk.com/archive253 … 52217.html

Message
WEB-PHP viewtopic.php access

Rule
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established;
uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767;
classtype:web-application-attack; sid:2229; rev:4;)

Summary
This event is generated when an attempt is made to exploit a known
vulnerability in the php application phpBB.

Impact
Information disclosure possibly leading to serious system compromise.

So, a bot is trying to hack your PunBB forum using a very old phpBB exploit wink

  • Registered: 2007-12-03
  • Posts: 12

Re: Snort is snorting

Thanks for the quick reply!