Void's Forums

[Void Main]

If you are running phpBB forums and haven't patched it recently you will want to do that now. I noticed that someone had exploited a vulnerability in my forum:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

I have been watching them and am currently tracking them down and plan on taking action against them. Just a warning, patch your board if you haven't done so recently! I went ahead and upgraded the whole thing to 2.0.11 (via patch files).

Here a lot of snot nosed CeNsOrEd can be found:
http://forum.zone-h.org/search.php?sear ... ords=phpbb

And it would appear that at least for a while this site must have appeared here:
http://zone-h.com/defacements/onhold

Still tracking and decoding activity from at least as far back as 22 Nov which appears to be where the activity started. Almost all hits came out of Brazil from several different DSL connections:

200.117.34.137
200.138.70.151
200.161.250.232
200.162.208.31
200.162.230.113
200.175.26.138
200.175.84.82
200.181.213.251
200.199.131.221
200.199.184.227
200.199.25.195
200.203.110.179
200.203.166.61
200.203.35.32
200.206.164.44
200.207.114.17
200.216.15.58
200.217.33.71
200.96.22.32
201.0.73.35
201.0.73.83
201.13.224.52
201.9.182.192
203.81.192.58
211.157.36.9
81.192.249.104

I'm decoding the system() calls they made right now. I know a few tag files were dropped in my forum directory which wouldn't have been possible had I had set proper permissions on that directory, duh! Several other commands were run and information gathered. I even had to translate a little Portuguese! I'll get it all traced out. I can't believe I didn't notice it earlier. I had some indicators that I had ignored at the beginning. I'll look at my alerts a little more closely from now on.

[Void Main]

I wrote a script to turn the light on these cockroaches who have nothing better to do with their time than to try and deface web sites. This script will decode your Apache log and see what commands were executed on your system through the phpBB vulnerability (if your system is vulnerable which if it's less than 2.0.11 it's vulnerable):

Code: Select all

#!/usr/bin/php -q
<?
// Program: decode_phpbb_sploit.php
// created by Void Main - 2 Dec 2004
// updated by Void Main - 9 Jan 2005
//
// 1) make it executable
// 2) cat /var/www/httpd/access_log | ./decode_phpbb_sploit.php

function cvtchr($m) { return chr($m[1]); }

set_time_limit(0);

$stdin = fopen('php://stdin','r');

while ($cmd = trim(fgets($stdin))) {

   if (preg_match("/system\(chr\(/i",$cmd) ) {

      $cmd = preg_replace("/(.*) -.*[-\"].*\[(.*)\].*system\((.*)\).*HTTP.*/",
               "\${1} - [\${2}] - \${3}",
                 preg_replace_callback("/\.*chr\((\d+)\)/i",cvtchr,
                   urldecode(urldecode($cmd))));
      echo "$cmd\n";

   } elseif (preg_match("/\&rush=%/i",$cmd)) {

      $cmd = preg_replace("/(.*) -.*[-\"].*\[(.*)\].*\&rush=(.*).*HTTP.*/",
               "\${1} - [\${2}] - \${3}",
                 urldecode(urldecode($cmd)));
      echo "$cmd\n";
   }

}
?>


I won't show all of my decoded logs (which are interesting) but here is a sample line:

This:

Code: Select all

203.81.192.58 - - [01/Dec/2004:12:05:44 -0600] "GET /forums//viewtopic.php?t=2&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)
%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)
%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(117)%252echr(110)
%252echr(97)%252echr(109)%252echr(101)%252echr(32)%252echr(45)%252echr(97)%252echr(59)%252echr(105)
%252echr(100)%252echr(59)%252echr(119)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)
%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252
echr(95)%252echr(95)%252echr(59))%252e%2527 HTTP/1.0" 200 5484 "-" "Mozilla/3.0 (compatible; Indy Library)"


Becomes:

Code: Select all

203.81.192.58 - [01/Dec/2004:12:05:44 -0600] - echo ___INICIO___;uname -a;id;w;echo ___FIM___;


The above line of commands "echo ___INICIO___;uname -a;id;w;echo ___FIM___;" is one of several lines of commands that were executed from the above address. There are several different addresses that have executed various commands including downloading a backdoor and attempting to execute it (BTW, their backdoor attemps were unsuccessful for several reasons I need not mention). Most of the addresses are out of Brazil. I got the source to the back door and there were three separate downloads of the same back door by 3 different brats. Two copies were the original version and one copy was the same program but translated into Portuguese. Of course in the echo commands in the line I quoted "INICIO" translates to "BEGIN" and "FIM" translates to "END". If someone can help me identify the little CeNsOrEd there may be a reward in it for you. Here are some of the IP addresses in question (could have been hacked sites, but these kids seem to be too stupid to hop in anonymously):

200.117.34.137
200.138.70.151
200.158.37.166
200.161.250.232
200.162.208.31
200.162.230.113
200.175.26.138
200.175.84.82
200.181.213.234
200.181.213.251
200.199.131.221
200.199.184.227
200.199.25.195
200.203.110.179
200.203.166.61
200.203.35.32
200.206.164.44
200.207.114.17
200.216.15.58
200.217.33.71
200.96.22.32
201.0.73.35
201.0.73.83
201.13.224.52
201.9.182.192
203.81.192.58
213.144.148.19
217.160.110.47
65.168.184.251
69.43.151.31
81.192.249.104

Which some have hostnames:

host137.200-117-34.telecom.net.ar
200-138-070-151.mganm7004.dsl.brasiltelecom.net.br
200-158-37-166.dsl.telesp.net.br
200-161-250-232.dsl.telesp.net.br
200-162-208-31.user.ajato.com.br
200.162.230.113.user.ajato.com.br
200.175.26.138.dialup.gvt.net.br
200.175.84.82.dialup.gvt.net.br
227.2-254.184.199.200.telemar.net.br
200-203-110-179.smace7006.dsl.brasiltelecom.net.br
200-203-035-032.paemt7005.dsl.brasiltelecom.net.br
200-206-164-44.dsl.telesp.net.br
200-207-114-17.dsl.telesp.net.br
200216015058.user.veloxzone.com.br
200-096-022-032.cscgo7001.dsl.brasiltelecom.net.br
201-0-73-35.dsl.telesp.net.br
201-0-73-83.dsl.telesp.net.br
201-13-224-52.dsl.telesp.net.br
201009182192.user.veloxzone.com.br
host58.worldcall.net.pk
kunden1.livenet.ch
p15096902.pureserver.info
adsl-104-249-192-81.adsl.iam.net.ma

If someone has been able to execute commands on your system through the phpBB vulnerabilities you'll probably also see interesting things in your /var/log/httpd/error_log.

[Calum]

how can i tell if i have done it right?

i have updated it and all, but the little blurb on the bottom of the pages still claims to be 2.0.4 (although i strongly suspect this to be purely an html thing from the actual templates themselves). What's the easy way to test this either from the command line, or by some other method?

thanks! both for mentioning it here and in advance for any response to my question!

[Void Main]

What did you do to patch your board? If you did a full upgrade to 2.0.11 either via patch file or via changed files then it should say 2.0.11 at the bottom. You *can* just patch the vulnerability itself in the viewtopic.php but then you really haven't upgraded to 2.0.11 so it wouldn't change the version on your main page.

You can tell if you are patched by trying to exploit your board. You can actually use wget or just your browser to test it. Copy/past the URL from my log entry that I that I provided in an earlier post into your browser. Replace the "/forums//" in my log entry with "http://calumssite/forumdir/" and if at the top of the page you see some text that shouldn't be there containing the text "___INICIO___" followed by the output of "uname -a" followed by the user information for your apache user followed by a list of people that are currently logged on to your system followed by "___FIM___" then you have not properly patched your system. :) There is actually a Perl script that someone wrote to just pass the machine name, the subdir and the list of commands you want to run surrounded by quotes:

http://forum.zone-h.org/viewtopic.php?t=1168

EDIT: I just tried to do an "ls -al" on your bbs and it failed so if you see my IP address in your log and one line decodes to that you'll know it was me. So it looks like you are patched for at least that one vulnerability.

[Calum]

well, i tried using "patch" first but it appeared to be taking an irnordinately long time so i did ctrl-c before it was finished and simply wiped all the files except my themes and avatars directories, and then replaced them with the files from the full download of phpBB 2.0.11 from phpbb.com. I know that sounds dodgy, but the readme on the site reckons it's perfectly OK and so far no problems have ocurred.

I did indeed use your test above and none of the suspicious command made itself apparent, so i am fairly confident i am OK.

Thanks again!

[Stryker]

http://polytheism.org.uk is patched, at least this particular exploit. Someone used it on one of my forums so I did some research on it, and then checked to make sure the forums i know of are patched. I didn't know about yours but I just checked it and ur fine. Also checked void's a while ago, don't remember when, but if u see an attempt from a comcast customer in seattle don't like melt my computer or anything.

and if it bothers you that i checked i appologize, and i won't check in the future. but i'm just trying to help

edit: looks like void beat me to it too.

[Calum]

ok, i will postpone the computer melting just this once!

thanks, no exploit attempts don't bother me. i look at computer security like real security, sure, it's wrong for people to break into your house and take your stuff, but if you leave your back door unlocked, what do you expect?





i would go further with that analogy in fact, and say that if you leave windows open, it's only a matter of time before you get broken into. Not that that' relevant, i just like the analogy!

[4liberty]

I have never had an issue with phpbb's, I do now, and the patch work was done, I think it may have been some mods we did, but then I was told it may not be

from:
http://slashdot.org/

Developers: PHP Vulnerabilities Announced

Posted by michael on Friday December 17, @12:20PM
from the rated-o-for-overtime dept.
Simone Klassen writes "The Hardened-PHP Project has announced several serious and according to them, easy-to-exploit vulnerabilities within PHP. A flaw within the function unserialize() is rated as very critical for millions of PHP servers, because it is exposed to remote attackers through lots of very popular webapplications. The list includes forum software like phpBB2, WBB2, Invision Board and vBulletin. It is time to upgrade now."


http://www.php.net/downloads.php

[Void Main]

I have been following these PHP vulnerabilities for the last few days now. I get all my security info from sites like:

http://isc.sans.org/
http://securityfocus.com/
http://securityfocus.com/archive/1

I keep up with more than just the above though. The vulnerabilities you are referring to are actually functions in PHP and not phpBB itself. phpBB does use some of the vulnerable functions so you need to upgrade your version of PHP. My system actually updates itself on a daily basis so I usually don't have to manually update anything, it will get the security updates usually within a day of their release. Most of the time vulnerabilities are fixed before an exploit is released. This case is a little different though because there are some exploits out there and there still aren't updated packages for my distro (Fedora Core 3) so I just built some new RPMs out of the new PHP 4.3.10. For anyone who can't wait for the official RPMs here are the ones I built:

http://voidmain.is-a-geek.net/files/php-4.3.10-0/

Of course these will only work for FC3 so unless that is what you are running don't try and install them. More than likely within the next day or two there will be official packages out there and my system will upgrade from the packages that I have built to the new ones.

The one thing that doesn't automatically update itself is my phpBB forum software because it's not a package included with my distro or in any of the repositories out there that I use. I don't think there is an actual "package" of phpBB for any distro though. Because of this I have to update it separately from the rest of my system. I am up to the latest 2.0.11 and am having no trouble with it at all. My Apache version is 2.0.52-3.1, php version 4.3.10 (as you know) and my current kernel version is 2.6.9-1.681_FC3. I update often though so these versions will surely change soon.

What OS you running?

[4liberty]

os = bad guys ME, that will all be changing, shoot if I keep coming here I am going to end up being a geek again lol, thanks for the tips

[Void Main]

You are running that thing on ME???? Heh heh, I am actually quite amazed that you are able to even have it work at all! :)

[Void Main]

Looks like some little turds launched a worm this morning shortly after midnight (at least that's when I noticed it in my logs). It exploits the vulnerability mentioned earlier in this thread. Good thing we are all patched right? ;) Unfortunaly by looking at my logs there are many unpatched systems out there. I have blocked all of the ones that were hitting me and continue to block the few new straglers that are still popping up via my iptables block script. You can use the PHP code I wrote earlier to see the perl scripts they are trying to download and run which obviously were successful on many systems. I have downloaded all of the ones I have seen so far and am currently looking them over. Script names that someone attempted to run on my system are:

bot
bot.txt
ownz.txt
ssh.a
terrorworm.txt
unbot.txt
unworm.txt
worm.txt
worm1.txt

Never mind the names of the files, they are all perl scripts. It would help if I new Portugese for reading the comments and variable names though. :) So if your favorite phpbb board is slow today it's because they are either playing a part in this worm because they weren't patched or they are suffering from DoS from being hit with all the machines that are part of the phpBB worm. I wish this pimply faced youths could find something more productive to do with their Christmas vacation.

EDIT: It uses google and yahoo to find phpBB systems and valid topics to use in the highlight exploit. Initially it looks like they would have manually installed the script on vulnerable system "0". They exececuted the script which searches google and yahoo for phpBB systems as I said, then system 0 will go to those systems and download the perl scripts which again goes out and performs the same search and causes the worm to continue to spread eating up bandwidth on the systems that are vulnerable, google, yahoo, and all phpBB systems whether they are vulerable or not because they are being hit with all the exploited machines.

EDIT2: To this point I have blocked over 1700 IP addresses (not by hand mind you) which means there is at least that many systems out there that have been exploited to this point.

[Void Main]

I haven't been on in a couple of days since my last post above and apparently the problem out in Internetland got even worse and I think my forums have been down because of this phpBB worm overloaded my site with exploit attempts. I think I have figured out a way to stop it from DoS'ing me. I made it so Apache will just give a 403 error.

Code: Select all

       RewriteEngine On
       # PHP/phpBB Vulnerability Thwart
       RewriteCond %{QUERY_STRING} ^(.*)echr\((.*)    [NC]
       RewriteRule ^.*$             -               [F]
       RewriteCond %{QUERY_STRING} ^(.*)wget%20(.*) [NC]
       RewriteRule ^.*$             -               [F]
       RewriteCond %{QUERY_STRING} ^(.*)perl%20(.*) [NC]
       RewriteRule ^.*$             -               [F]
       RewriteCond %{QUERY_STRING} ^(.*)system\((.*) [NC]
       RewriteRule ^.*$             -               [F]


[Void Main]

Also just noticed ISC@SANS finally posted something about it:
http://isc.sans.org/diary.php?date=2004-12-25

[Calum]

my isp actually emailed me last week saying they were disabling everybody's phpBB boards unless they were patched to the latest version. nice and efficient, but still 2 days after i had already heard about it here

nice work!