The detection was added to cover for a malicious exploit code which was being sent around on certain security related mailing lists. The actual exploit code was also submitted in that same e-mail.
The exploit file in question is a Perl script called "r57phpbb-poc.pl
" , note that the name might vary, it's filesize is 2857 bytes.
The Perl script targets Mysql
Servers that have v4 or greater. Apart from the target Server's IP address, the exploit script can be pointed more specifically towards a target Folder like phpBB and User id such as default 2 for the administrator.
Test connections, using remote get folder searches, are performed on tcp , port 80. If the exploit is successful, it returns the md5 hash of the user on the system that can be exploited.