Irritating worm uses phpBB vulnerabity to "deface"

Forum announcements are posted here. New cool features, scheduled backups and maintenance, you name it.
Jorg
Moderator
Moderator
Posts: 3971
Joined: Fri Aug 27, 2004 9:38 pm
Location: Delft, Netherlands
Contact:

Irritating worm uses phpBB vulnerabity to "deface"

Postby Jorg » Wed Dec 22, 2004 3:08 pm

Hi guys,

I have read all over the net that there is some kind of worm active that exploits a PHP / phpBB flaw. You can read about it here;

http://news.zdnet.com/2100-1009_22-5499725.html?tag=nl.e589

I will look into upgrading the site, but in the meantime I have made a site-wide copy of the phpBB scripts that can be restored the moment something goes wrong, and I also backup the site database on a daily base.

If the site is being attacked and I am not yet aware of it, send an email to me: jorgb@xs4all.nl

- Jorgen
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb

User avatar
tierra
Site Admin
Site Admin
Posts: 1330
Joined: Sun Aug 29, 2004 7:14 pm
Location: Salt Lake City, Utah, USA
Contact:

Postby tierra » Wed Dec 22, 2004 5:09 pm

I believe it's a worm that exploits the latest PHP exploit that was patched and fixed in 4.3.10 and 5.0.3. The worm consists of some Perl code that looks for any .html files on the server, and replaces the contents with some defacement info including worm generation, then continues to Google search for more websites to hack. So basically, if you have no .html files, then you probably haven't lost anything, however, that doesn't mean you haven't been infected either. If you've got shell access, executing this search on your Apache access log should indicate if you've been targeted at least, and if you didn't patch before that access, you were most likely hit:

Code: Select all

grep 252echr access_log | wc -l


Being this is a more popular forum, I wouldn't doubt your rank in Google is high thus making your chances of being a target much greater. I'm under the impression that simply patching PHP will stop any further hits from doing any harm, there's nothing left behind that I've heard of that you need to clean off.

Jorg
Moderator
Moderator
Posts: 3971
Joined: Fri Aug 27, 2004 9:38 pm
Location: Delft, Netherlands
Contact:

Postby Jorg » Wed Dec 22, 2004 5:32 pm

Hi Tierra,

Thanks for the info. Unfortunately I cannot patch PHP my site is hosted by a hosting company, and I have no access to the PHP install. I don't know if patching the phpbb to version 2.0.11 will do any good (we are now on 2.0.10), but I will keep an eye on this. Let's just hope we are not hit by this worm anytime in the near future...

Regards,
- Jorgen
Forensic Software Engineer

Netherlands Forensic Insitute

http://english.forensischinstituut.nl/

-------------------------------------

Jorg's WasteBucket

http://www.xs4all.nl/~jorgb/wb

cg
Filthy Rich wx Solver
Filthy Rich wx Solver
Posts: 201
Joined: Sun Aug 29, 2004 12:33 am
Location: Canada
Contact:

Postby cg » Wed Dec 22, 2004 7:05 pm

You should consider upgrading jorg. Have a look at this article:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=244451

Chris

Jorg
Moderator
Moderator
Posts: 3971
Joined: Fri Aug 27, 2004 9:38 pm
Location: Delft, Netherlands
Contact:

Postby Jorg » Wed Dec 22, 2004 9:35 pm

Sounds indeed serious. I will try to do this before xmas, or shortly after it. Thanks for pointing it out!

Regards,
- Jorgen
Forensic Software Engineer

Netherlands Forensic Insitute

http://english.forensischinstituut.nl/

-------------------------------------

Jorg's WasteBucket

http://www.xs4all.nl/~jorgb/wb


Return to “Forum Announcements”

Who is online

Users browsing this forum: No registered users and 1 guest