Hi guys,
I have read all over the net that there is some kind of worm active that exploits a PHP / phpBB flaw. You can read about it here;
http://news.zdnet.com/2100-1009_22-5499 ... ag=nl.e589
I will look into upgrading the site, but in the meantime I have made a site-wide copy of the phpBB scripts that can be restored the moment something goes wrong, and I also backup the site database on a daily base.
If the site is being attacked and I am not yet aware of it, send an email to me: [email protected]
- Jorgen
Irritating worm uses phpBB vulnerabity to "deface"
-
- Moderator
- Posts: 3971
- Joined: Fri Aug 27, 2004 9:38 pm
- Location: Delft, Netherlands
Irritating worm uses phpBB vulnerabity to "deface"
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
-
- Site Admin
- Posts: 1355
- Joined: Sun Aug 29, 2004 7:14 pm
- Location: Salt Lake City, Utah, USA
I believe it's a worm that exploits the latest PHP exploit that was patched and fixed in 4.3.10 and 5.0.3. The worm consists of some Perl code that looks for any .html files on the server, and replaces the contents with some defacement info including worm generation, then continues to Google search for more websites to hack. So basically, if you have no .html files, then you probably haven't lost anything, however, that doesn't mean you haven't been infected either. If you've got shell access, executing this search on your Apache access log should indicate if you've been targeted at least, and if you didn't patch before that access, you were most likely hit:
Being this is a more popular forum, I wouldn't doubt your rank in Google is high thus making your chances of being a target much greater. I'm under the impression that simply patching PHP will stop any further hits from doing any harm, there's nothing left behind that I've heard of that you need to clean off.
Code: Select all
grep 252echr access_log | wc -l
-
- Moderator
- Posts: 3971
- Joined: Fri Aug 27, 2004 9:38 pm
- Location: Delft, Netherlands
Hi Tierra,
Thanks for the info. Unfortunately I cannot patch PHP my site is hosted by a hosting company, and I have no access to the PHP install. I don't know if patching the phpbb to version 2.0.11 will do any good (we are now on 2.0.10), but I will keep an eye on this. Let's just hope we are not hit by this worm anytime in the near future...
Regards,
- Jorgen
Thanks for the info. Unfortunately I cannot patch PHP my site is hosted by a hosting company, and I have no access to the PHP install. I don't know if patching the phpbb to version 2.0.11 will do any good (we are now on 2.0.10), but I will keep an eye on this. Let's just hope we are not hit by this worm anytime in the near future...
Regards,
- Jorgen
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
-
- Filthy Rich wx Solver
- Posts: 201
- Joined: Sun Aug 29, 2004 12:33 am
- Location: Canada
You should consider upgrading jorg. Have a look at this article:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=244451
Chris
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=244451
Chris
-
- Moderator
- Posts: 3971
- Joined: Fri Aug 27, 2004 9:38 pm
- Location: Delft, Netherlands
Sounds indeed serious. I will try to do this before xmas, or shortly after it. Thanks for pointing it out!
Regards,
- Jorgen
Regards,
- Jorgen
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb