Well... wasn't that fun?!?

Rocketdork · Post by **Rocketdork** » Wed Dec 22, 2004 9:22 pm

AsaJay wrote:damn scriptkiddies anyway.

They're known as MONKEY FUCKERS in this forum.

That's bold, italic and large font size...

Post by **bio** » Thu Dec 23, 2004 9:23 am

After reading about how the MONKEY FUCKERS used google to search for instlations of phpbb, I've replaced the text at the bottom of the pages with an image.

This keeps me in with the TOS of using phpbb and makes it impossible to find this site with that search (of course, google now blocks that search, but hey... I do what I can do).

Eve · Post by **Eve** » Fri Dec 24, 2004 11:36 pm

Looks like the worm is spreading and the infected sites are hammering yours:

Mind you, no-one has to know your userload isn't this fantastic all the time

This from US C.E.R.T

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Technical Cyber Security Alert TA04-356A
Exploitation of phpBB highlight parameter vulnerability

Original release date: December 21, 2004
Last revised: --
Source: US-CERT

Systems Affected

phpBB versions 2.0.10 and prior

Overview

The software phpBB contains an input validation problem in how it
processes a parameter contained in URLs. An intruder can deface a
phpBB website, execute arbitrary commands, or gain administrative
privileges on a compromised bulletin board.

I. Description

phpBB is an open-source bulletin board application. It fails to
properly perform an urldecode() on the "highlight" parameter supplied
to viewtopic.php. This may allow a remote attacker to execute
arbitrary commands on a vulnerable server.

According to reports, this vulnerability is being actively exploited
by the Santy.A worm. The worm appears to propogate by searching for
the keyword "viewtopic.php" in order to find vulnerable sites.

The worm writes itself to a file named "m1ho2of" on the compromised
system. It then overwrites files ending with .htm, .php, .asp. shtm,
.jsp, and .phtm replacing them with HTML content that defaces the web
page. The worm then tries to use PERL to execute itself on the
compromised system and propogate further.
US-CERT is tracking this issue as:

VU#497400 - phpBB viewtopic.php fails to properly sanitize input
passed to the "highlight" parameter

II. Impact

A remote attacker may be able to deface a phpBB website and execute
arbitrary commands on a compromised bulletin board.

III. Solution

Upgrade phpBB

Upgrade to phpBB verison 2.0.11 to prevent exploitation.

Post by **bio** » Sat Dec 25, 2004 9:20 pm

We're running 2.0.11

And I had a lot more than what they say the Sanity.A virus places on the system. Files first appeared on my machine on 12/14. They included an IRC relay client and a bunch of other unidentified crap. All were owned by the same owner as Apache.

We removed them but they came back on 12/16.

It almost looks like they picked my box as a launching point or testing ground. Fortunately, there were log files on the IRC server that show someone from an ISP in Brazil logged in and made some changes to the relay client.

I've forwarded those IP addresses and log files along with my complaint to the ISP in Brazil as well as to the FBI. There's a real chance we can nail those bastards.

AsaJay · Post by **AsaJay** » Sat Dec 25, 2004 9:35 pm

Eve,

Do you have some kind of subscription to CERT?

Post by **bio** » Sat Dec 25, 2004 11:50 pm

I've been looking at the IP address of all those guests. They aren't search engines.

I'm not sure what they are. Most of the IP addresses take me to cpanel, so they're IP addresses of webhosts. Possibly infected pages sites?

I'll be glad when all this blows over.

Eve · Post by **Eve** » Sat Dec 25, 2004 11:52 pm

AsaJay wrote:Eve,

Do you have some kind of subscription to CERT?

Yep, I have been on their advisory mailing list for a few years now, but I just checked out where to subscribe only to find that they aren't accepting any more subscriptions to the CERT Coordination Center list.

Looks as though the Department of Homeland Security has created the US-CERT organisation. FAQ from the (Carnegie Melon) CERT site talks about this and how new advisories will be issued from the US-CERT site. You can sign up for their email advisories here.

ironpants · Post by **ironpants** » Sun Dec 26, 2004 7:31 pm

you knew this was comming, so here it is...

how secure to you feel about linux now?

bugfreezer · Post by **bugfreezer** » Sun Dec 26, 2004 7:57 pm

ironpants wrote:you knew this was comming, so here it is...

how secure to you feel about linux now?

Really, the issue is about php, specifically about phpbb - the risks might have been the same on a winbox running php. As near as I can tell, it only fouled up the board, not crashed the entire system. The one thing I still...well, hate...about the MS OS'es is that they HAD to integrate the browser with the OS - talk about firetraps...and stifling innovation - firefox rules!

All the same I still prefer the MS OS's over Linux.

AsaJay · Post by **AsaJay** » Sun Dec 26, 2004 8:33 pm

Thanks Eve, I'll check into CERT and get myself signed up.

Linux? Hmmm,
Apply multiple patches (issued sooner than MS does), to multiple problems, making the system more secure, sooner than MS could,

. . . and all -WITHOUT- rebooting.

Hmmm, let me think about that one.

Install XP, and hook up to the internet, get infected with Sasser, MyDoom, and who knows what else, before having even a -chance- to fetch updates and apply them, which would -require- multiple reboots, re-connects, fetches, reboots, re-connects, fetches, reboots, re-connects, fetches... well you get the idea. (not that -I- do it that way, but there are thousands that do, with no clue as to what is going on)

hmmm, let me think about it.

On Linux I can monitor the processes, kill them if I please, shut down services, backup and restore, sooooooooooooo much easier than on a MS system, which in most cases won't even let me touch the damn things.

Hmmm, let me think about it.

hmmmm.
hmmmm
hmmmm

Nope, FMS.

::update::
I just got subscribed to the CERT Technical alerts. Thanks Eve.

Post by **bio** » Mon Dec 27, 2004 9:17 am

ironpants wrote:you knew this was comming, so here it is...

how secure to you feel about linux now?

Like bugfreezer said, this wasn't a linux issue. It was a phpbb problem, and it affected machines on both ends.

Had I not been running phpbb (or had installed the release that came out one day prior to the attack), I would have been fine.

But just for giggles, let's do a test. I'll install a linux server with nothing but the install CD... no updates, no fancy tricks, nothing. You install a Windows server the same way.

Then we'll put them naked on the internet. Let's see which one melts first.

Eve · Post by **Eve** » Mon Dec 27, 2004 2:35 pm

Well at this point, let's have the facts.

baldy · Post by **baldy** » Mon Dec 27, 2004 2:39 pm

Seems to me all the operating systems are plagued by exactly the same security issues .... it all seems to be about how fast the vendors can respond to an issue or vulnerability followed by how quickly ( or even IF) the consumers react to apply a patch or a fix. Hopefully the next few generations of software will be 'autofixed' quicker and cleaner, notwithstanding reliability issues of the 'fixes'.

Post by **bio** » Mon Dec 27, 2004 2:50 pm

Eve wrote:Well at this point, let's have the facts.

Yeah... what she said!

Post by **bio** » Tue Dec 28, 2004 9:22 am

Lovely... a new version of the worm is out there.

Santy.e doesn't only target phpBB but it also attacks other PHP scripts that are vulnerable to the file inclusion exploit, says DarkVision Hardware in The Netherlands, adding:

"Like earlier Santy variations, Santy.e uses Google to identify exploitable Web pages written in PHP which use the vulnerable functions "include()" and "require()." Santy.e, however, also throws Yahoo's and AOL's search engines into the mix, learning a lesson from the originals, which were stymied when Google blocked their searches."