NeverEverNoSanity worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
User avatar
dhn
Former Team Member
Posts: 4999
Joined: Wed Jul 04, 2001 8:10 am
Location: Internet
Name: Dominik Dröscher
Contact:

Post by dhn » Tue Dec 21, 2004 6:28 pm

brakkums wrote: Will my site be safe if I just make this change?
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513


You will be safe from this worm, yes. This fix is included in 2.0.11, so users who were wise enough to update are already protected.

However, if you did not yet update to 2.0.11, please do it now. Just applying the fix while running and older version might still allow intruders to get into your forum.

Allie Mae
Registered User
Posts: 18
Joined: Tue Apr 27, 2004 4:41 pm

Post by Allie Mae » Tue Dec 21, 2004 6:31 pm

post removed
Last edited by Allie Mae on Wed Jan 05, 2005 12:58 am, edited 1 time in total.

CrazySat
Registered User
Posts: 106
Joined: Fri Sep 05, 2003 8:32 pm
Location: Somewhere around the Earth
Contact:

Post by CrazySat » Tue Dec 21, 2004 6:36 pm

Hi

have you a mailing list to join so that all phpBB users are warned in real time about urgent upgrade in case of similar disaster :?:

Would it be possible to send a broadcast through this board to all registered users so that they are warned to upgrade immediately ?

It is just an idea which could help to solve problems in the future...

I just upgraded to 2.0.11 for a pure circumstance... I came here to ask for help on different problem and one guy warned me to upgrade ASAP and so I did.

Thank you for your work and time.
Regards

CrazySat
PER ASPERA AD ASTRA

User avatar
dhn
Former Team Member
Posts: 4999
Joined: Wed Jul 04, 2001 8:10 am
Location: Internet
Name: Dominik Dröscher
Contact:

Post by dhn » Tue Dec 21, 2004 7:02 pm

CrazySat wrote: Hi

have you a mailing list to join so that all phpBB users are warned in real time about urgent upgrade in case of similar disaster :?:

You can register at sourceforge and monitor the phpbb packages here:
http://sourceforge.net/projects/phpbb/

We are working on a better solution for update notifications that will be introduced soon.

CrazySat
Registered User
Posts: 106
Joined: Fri Sep 05, 2003 8:32 pm
Location: Somewhere around the Earth
Contact:

Post by CrazySat » Tue Dec 21, 2004 7:05 pm

@dhn

Thanks for info :!:
Regards

CrazySat
PER ASPERA AD ASTRA

ddhblt
Registered User
Posts: 57
Joined: Sun Feb 09, 2003 10:09 pm

Post by ddhblt » Tue Dec 21, 2004 7:41 pm

Thanks for all the helpful info, especially this link http://www.kaspersky.com/news?id=156681162 which pretty much sums it up.

Once a site is infected, it doesn't start attacking others. It's called a worm, but it isn't propagating itself is it? Are we allowed to post the ip address of the offending server initiating these attacks.

rcreasey
Registered User
Posts: 4
Joined: Thu Dec 09, 2004 3:32 am
Location: Irvine, CA
Contact:

Possible Band-Aid

Post by rcreasey » Tue Dec 21, 2004 8:09 pm

Check this out. I managed to get a copy of the exploit script someone was kind enough to leave on my server after defacing it:

Edited by moderator - Please don't post exploit code here - Techie-Micheal

Now if you'll notice, around lines 42 or so, there's an exit line checking for a file named 'stop.it'. You should be able to just create a file named 'stop.it' (blank, whatever... I did '$ touch stop.it') in the root directory of your phpBB and it should at least stop this iteration of the worm. Granted I may have a custom built exploit script engineered for my servers, but at least you guys can see what the script is doing.
--
Ryan C. Creasey
Systems Administrator
IGN Entertainment

QuackerJack
Registered User
Posts: 7
Joined: Mon Dec 20, 2004 2:28 pm

Post by QuackerJack » Tue Dec 21, 2004 8:19 pm

Nice find Ryan!

I saw that same code on my server so I don't think yours was a custom script.

rcreasey
Registered User
Posts: 4
Joined: Thu Dec 09, 2004 3:32 am
Location: Irvine, CA
Contact:

Post by rcreasey » Tue Dec 21, 2004 8:33 pm

You have to be kidding me.

If someone wanted to find the exploit code for malicious purposes, they woudn't have to look very hard. I've spent all morning grieving over my cluster of servers that got nailed and I figured I'd be able to help others out.

- Ryan

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Tue Dec 21, 2004 8:37 pm

rcreasey wrote: You have to be kidding me.

If someone wanted to find the exploit code for malicious purposes, they woudn't have to look very hard. I've spent all morning grieving over my cluster of servers that got nailed and I figured I'd be able to help others out.

- Ryan
But they don't need to look here. As hard as it may be to believe, there are people who post urls to their pre-2.0.11 phpBB installs. Believe me, it is appreciated, but we don't want people looking here, finding exploit code, and have a cornicopia of links at their disposal right here.
Proven Offensive Security Expertise. OSCP - GXPN

mikelhall
Registered User
Posts: 12
Joined: Thu Aug 19, 2004 4:07 pm

Post by mikelhall » Tue Dec 21, 2004 8:46 pm

So, my question would be, HOW would you stop your site from being vandalized while working on the upgrade? I have to do it manually, since I use a heavily modded site. Would changing the php dir work? I need it live to test the changes!

leventpek
Registered User
Posts: 79
Joined: Thu Oct 21, 2004 3:22 am
Location: Istanbul / Turkey

Post by leventpek » Tue Dec 21, 2004 8:48 pm

Hello guys,

Now, I'm confused. Is the 2.0.11 vulnerable or not? In this very thread Some says it is vulnerable, some say it is not. 8O :?

One more thing. Due to my very limited time I was only able to apply the viewtopic fix to my 2.0.8a installation. At the moment I'm greatly nervous of any worm attack but again I have no time to do a complete 2.0.11 install. Do I need to panic? :cry:

Many thanks,

mikelhall
Registered User
Posts: 12
Joined: Thu Aug 19, 2004 4:07 pm

Post by mikelhall » Tue Dec 21, 2004 8:49 pm

I applied the Viewtopic fix to my 2.0.4 installation and was STILL attacked. FYI

neenmo
Registered User
Posts: 1
Joined: Wed May 01, 2002 11:09 pm

Post by neenmo » Tue Dec 21, 2004 8:58 pm

From what i understand, this relies on your SQL prefix being 'phpbb', perhaps chainging that from the default could help you out.

leventpek
Registered User
Posts: 79
Joined: Thu Oct 21, 2004 3:22 am
Location: Istanbul / Turkey

Post by leventpek » Tue Dec 21, 2004 9:08 pm

neenmo, many thanks. I'd be grateful if you could supply us the required SQL Query to change the default phpbb prefix from the tables. :wink:

Locked

Return to “2.0.x Support Forum”