Some ass wipe trying to crack this forum
Posted: Mon Oct 27, 2003 8:53 pmSomeone at rrcs-central-24-92-131-185.biz.rr.com (24.92.131.185) has been scanning these forums for the last 3 hours (until I blocked his IP). He/She has some sort of script running trying to break in to user accounts and get private message info and the like. I've been digging through the logs trying to recreate his/her actions and from what I can tell they have not been successful in any of their attempts. Feel free to crack them back, or report them to the FBI, or to Road Runner (abuse@rr.com) who the IP belongs to. Of course I assume no liability if you get in trouble trying to crack them.
Snort recorded these events (1133 of them) as attempts to exploit a private message vulnerabilty in phpBB. This vulnerability has been fixed in phpBB 2.0.4 which I upgraded to as soon as the vulnerabilty was discovered and the update was available (many months ago). I am certain that this vulnerability has never been exploited on this system. Of course even if it was I can't imagine too much valuable private message stuff on these forums (nothing worth grabbing in mine). It could also be a web suck along the lines of a "wget -r" but I don't think so, either way I don't appreciate it. They also are using Firebird 0.7 as the user agent which is surely a fake.
Just a heads up in case you do a lot of private messaging on other forums that you are aware of such exploits in forum software that is not kept up to date.
Here are all of today's web server entries from that host
Notes about the above address. I believe it to be the actual address of the person doing the scan. It's not a system that was broken in to and a scan launched remotely. I say this because he/she appears to be running a nice and tight firewall with no tcp ports open. Just port 113 in the closed state. To me this means this is coming from someone who is competent and knows what they are doing, and of course one would think also means that they know what they are doing is wrong.
You can also see on some of the Cacti graphs how this effected the system:
http://voidmain.is-a-geek.net/cacti/graph_view.php
During the time period you should notice a significant amount of Snort alerts, rise in CPU utilization, slight bandwidth increase, and of course a step jump in Web Hits, all coinciding with the log entries mentioned earlier.
Snort recorded these events (1133 of them) as attempts to exploit a private message vulnerabilty in phpBB. This vulnerability has been fixed in phpBB 2.0.4 which I upgraded to as soon as the vulnerabilty was discovered and the update was available (many months ago). I am certain that this vulnerability has never been exploited on this system. Of course even if it was I can't imagine too much valuable private message stuff on these forums (nothing worth grabbing in mine). It could also be a web suck along the lines of a "wget -r" but I don't think so, either way I don't appreciate it. They also are using Firebird 0.7 as the user agent which is surely a fake.
Just a heads up in case you do a lot of private messaging on other forums that you are aware of such exploits in forum software that is not kept up to date.
Here are all of today's web server entries from that host
Notes about the above address. I believe it to be the actual address of the person doing the scan. It's not a system that was broken in to and a scan launched remotely. I say this because he/she appears to be running a nice and tight firewall with no tcp ports open. Just port 113 in the closed state. To me this means this is coming from someone who is competent and knows what they are doing, and of course one would think also means that they know what they are doing is wrong.
You can also see on some of the Cacti graphs how this effected the system:
http://voidmain.is-a-geek.net/cacti/graph_view.php
During the time period you should notice a significant amount of Snort alerts, rise in CPU utilization, slight bandwidth increase, and of course a step jump in Web Hits, all coinciding with the log entries mentioned earlier.