1
waterkid
Website Infected by Worm! NewBB Vulnerability???
  • 2004/12/21 22:23

  • waterkid

  • Just popping in

  • Posts: 6

  • Since: 2004/12/7


Latest Update:
NewBB is not the problem. My hosting service got back to me again and explained that I was not the source. They are now working on restoring my website with their Dec. 17th backup. Great web hosting service. Any problems I have had have been responded to/fixed within minutes. :)

Thanks again to all those who helped me understand what was happening.

Waterkid
Xoops Rookie :)


My website was infected by the "NeverEverNoSanity WebWorm generation 8." worm. Does anyone know where there might be a weak point in xoops?

Website: http://waterkid.net

Update:
I received the following message from my hosting service:
"Hello,

There is a worm that exploits PHPBB forums and injects a Perl script that will traverse the server, looking for worldwritable files. The script will also search google for other phpBB forums and try to infect them as well.

The overwritten files were all with 666 or 777 permissions (worldwritable) and thus were overwritten.

You need not use 777 or 666 permissions on our server anymore. We have started using SuExec on the server, which greatly improves the security and stability. This environment also executes scripts with the user credentials, instead of the Apache ones, so your scripts can access all your files and folders.

We have urgently patched all the faulty customer phpBB boards to stop the worm attacks against our servers already.

We can restore your site from our backups, dated 10 and 17 Dec. Please advise which backup we shall use.

Best Regards,
Support"

I have never used phpBB software. Is it possible that newBB was based on phpBB script making it vulnerable to this worm?

Thanks in advance for your help!

2
smdcom
Re: Website Hacked!

check your accesslog. and trace how the attackers get through your server. ask your administrator. might be a weak in your hosting server. if XOOPS has a hole this is will be hacked also. i believe XOOPS can't be hacked.

SMD

3
ackbarr
Re: Website Infected by Worm! NewBB Vulnerability???

smdcom - thanks for the vote of confidence, but nothing is un-hackable. That said I took a look at the vulnerability in question, and I do not think that newbb is vulnerable to it. I also spent a little bit reading the perl script that is used to exploit this hole. Though I don't speak perl well, if I read the code correctly, once the exploit begins, the worm traverses the directory tree overwriting every PHP, HTML, and ASP script it can get its gruby little paws on. If anything, this might mean that files in your directory were world-writable.

4
siweb
Re: Website Hacked!
  • 2004/12/21 23:29

  • siweb

  • Not too shy to talk

  • Posts: 150

  • Since: 2004/5/2 1


The problem was not XOOPS, but phpBB. Look at http://www.kaspersky.com/news?id=156681162

I hope the phpBB2>newbb2 converter will be available soon.

5
waterkid
Re: Website Hacked!
  • 2004/12/21 23:41

  • waterkid

  • Just popping in

  • Posts: 6

  • Since: 2004/12/7


Thanks for the reply. Here is my issue:

I have never installed nor used phpBB before. The first time I became familiar with setting a forum on my website was through xoops.

6
Peekay
Re: Website Hacked!
  • 2004/12/21 23:48

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


As ackbarr says, this targets phpBB but can then affect other sites on the same server, even if you don't run phpBB. It's nice to see your host has at least responded to the problem. There's some more info here:

http://www.f-secure.com/v-descs/santy_a.shtml
http://www.viruslist.com/en/viruses/encyclopedia?virusid=68388

7
smdcom
Re: Website Infected by Worm! NewBB Vulnerability???

just a advice. tell your hosting admin to update the anti-virus on thier server. but it's really nice because your host responded to the problem.

SMD

8
waterkid
Re: Website Hacked!
  • 2004/12/21 23:59

  • waterkid

  • Just popping in

  • Posts: 6

  • Since: 2004/12/7


I got the big picture now. Thank you so much to all of you who replied. I have been spending the last hour looking for phpBB files on my account just in case, but now I understand that I am not the cause of the problem...someone else on the same server using phpBB is.

Thanks again for all your help. I greatly appreciate it.

Waterkid

Login

Who's Online

394 user(s) are online (252 user(s) are browsing Support Forums)


Members: 0


Guests: 394


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits