For Home

Virus Profile: Perl/Exploit-Sqlinject

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/22/2003
Date Added: 12/22/2003
Origin: Russia
Length: 2857
Type: Trojan
Subtype: Exploit
DAT Required: 4312
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

  • Presence of the file above
  • Compromised Mysql environment
  • Strange traffic, like on unusual times, as port 80 is common so hard to distinguish though.

Methods of Infection

   

Virus Characteristics

The detection was added to cover for a malicious exploit code which was being sent around on certain security related mailing lists. The actual exploit code was also submitted in that same e-mail.

The exploit file in question is a Perl script called "r57phpbb-poc.pl " , note that the name might vary, it's filesize is 2857 bytes.

The Perl script targets Mysql Servers that have v4 or greater. Apart from the target Server's IP address, the exploit script can be pointed more specifically towards a target Folder like phpBB and User id such as default 2 for the administrator.  

Test connections, using remote get folder searches, are performed on tcp , port 80. If the exploit is successful, it returns the md5 hash of the user on the system that can be exploited.

   
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations