Requests that try to make use of the old phpBB highlight bug are showing up from time to time - that's just the normal background noise on a website these days. However, over the last couple of days, the number of requests trying those exploits has risen sharply. On geeklog.net (where we don't even run phpBB, thank you very much), I'm counting over 350 of these requests in the last 12 hours. I wonder where they are all coming from just now?
The original phpBB highlight bug become famous due to the so-called "Santy" worm that roamed the web back in December 2004. It infected unpatched phpBB installs and spread from there by using Google (and, in later incarnations, other seach engines) to find other sites running phpBB. Other bugs related to phpBB's highlighting code were found later, but never led to such a massive amount of traffic again.
I've seen minor waves of these exploits over the years, but this new one makes me wonder. Is there a new, unknown problem in phpBB or is this just someone trying to find the last unpatched phpBB installs out there? The requests are coming from all over the place, it seems, and on average, there seem to be only two requests coming from each IP address involved (359 requests, coming from 170 distinct IP addresses at the time I'm writing this).
Well, I just tried out one of the IP addresses, which happened to be located in Germany, and it's a company running phpBB 2.0.10. Which is the phpBB version that was current at the time of the original exploit - and this company didn't think it necessary to update their site. Thanks guys, great job - not!
Okay, this seems to answer my above question - as long as there are that many incompetent webmaster out there, it's easy for the bad guys to make use of it. Which still leaves the question: Why now?
Comments (0)
Damn Spam!
http://spam.tinyweb.net/article.php/return-of-the-phpbb-highligth-exploit