NeverEverNoSanity worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Wed Dec 22, 2004 3:42 am

salty78 wrote: The only thing I know is that my webhost upgraded to PHP 4.3.10 before this started and I have yet to be hit by this worm. I also upgraded to 2.0.11 immediately after it was released. So, my unscientific answer is no to being vulnerable.


2.0.11 was released before the worm hit. So, no offense, but your experience doesn't prove it one way or the other. :)

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal » Wed Dec 22, 2004 3:56 am

I'm not really sure how many times this needs to be repeated ...

Update to 2.0.11 now. It is not vulnerable to this worm.
Update to 4.3.10 now. It is not vulnerable to this worm.
Prior to 2.0.11, phpBB had a serious vulnerability released.
Prior to 4.3.10/5.0.3, PHP had a serious vulnerability released.
Ignore any and all MODs you may or may not have installed and update to 2.0.11 now.
Proven Offensive Security Expertise. OSCP - GXPN

GSM
Registered User
Posts: 47
Joined: Tue Dec 04, 2001 2:26 am
Location: from the earth
Contact:

Post by GSM » Wed Dec 22, 2004 4:00 am

we hear you Techie! but question is this worm is hit php files or just the phpBB forum only? because my site has lot of php files and I get nowhere on my site!
hehehe

CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee » Wed Dec 22, 2004 4:00 am

salty78 wrote: Did you see me complaining? I don't and I'm not looking for support either. His site is in quite good condition. I was just posting here to add to the growing list of sites that have been nailed. Perhaps you should read more carefully.

Why do we need such a list? It's very much like bragging, which we can use less of. Frankly, if you've been hit and know how to fix it on your own, there is no need to report it here.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club

User avatar
YLA G
Registered User
Posts: 74
Joined: Sun Sep 30, 2001 3:03 am
Location: België, europe
Contact:

Post by YLA G » Wed Dec 22, 2004 4:01 am

GSM wrote: we hear you Techie! but question is this worm is hit php files or just the phpBB forum only? because my site has lot of php files and I get nowhere on my site!


the whole network here.. even back up files
Tune your car!

blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Wed Dec 22, 2004 4:03 am

Techie-Micheal wrote: I'm not really sure how many times this needs to be repeated ...

Update to 2.0.11 now. It is not vulnerable to this worm.
Update to 4.3.10 now. It is not vulnerable to this worm.
Prior to 2.0.11, phpBB had a serious vulnerability released.
Prior to 4.3.10/5.0.3, PHP had a serious vulnerability released.
Ignore any and all MODs you may or may not have installed and update to 2.0.11 now.


Ok, but you realize that the highlight vulnerability in phpBB and the serialize/unserialize vulnerabilities in PHP are separate issues, right? According to SANS, the worm exploits the phpBB vulnerability, not a PHP vulnerability.

So the question remains:

Is a server running phpBB < 2.0.11 and PHP >= 4.3.10 vulnerable?

GSM
Registered User
Posts: 47
Joined: Tue Dec 04, 2001 2:26 am
Location: from the earth
Contact:

Post by GSM » Wed Dec 22, 2004 4:03 am

that's including .zip file too???? because the backup file I got in zip!
hehehe

blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Wed Dec 22, 2004 4:06 am

YLA G wrote: the whole network here.. even back up files


That probably deserves a separate topic, but this underscores the need for three things:

1. Unmount or disable access to backups after the backup process is complete.
2. Off-server/off-site backups.
3. Better restrictions on PHP's permissions. How many servers run PHP in safe mode? Or suexec, or setuid, or a jail, or other ways that restrict PHP scripts' permissions? If more servers were configured more securely, you wouldn't have one site on a shared server running an old phpBB causing other sites on the shared server to get their files overwritten.
GSM wrote: that's including .zip file too???? because the backup file I got in zip!


The worm didn't touch binary files; your zip backups should be fine.

GSM
Registered User
Posts: 47
Joined: Tue Dec 04, 2001 2:26 am
Location: from the earth
Contact:

Post by GSM » Wed Dec 22, 2004 4:08 am

thanks blujay
hehehe

GSM
Registered User
Posts: 47
Joined: Tue Dec 04, 2001 2:26 am
Location: from the earth
Contact:

Post by GSM » Wed Dec 22, 2004 4:12 am

another question that I has backup my database in to database.sql ....so this file is infected too???
hehehe

SailorDonut
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 4:18 am

Post by SailorDonut » Wed Dec 22, 2004 4:39 am

Sorry if this is a repeat post; I couldn't find anything that helped with this problem, but if there has already been one, feel free to just point me in the right direction. :oops:

My site was hacked sometime last night or this morning by the worm. The file it attacked was not my index.php, but rather config.php. I deleted the corrupt file as you all had said, and upgraded to version 2.0.11, but obviously I goofed it up, because there is still a problem. It says it cannot access the database because the password listed in config.php (the one I uploaded after deleting the corrupt one) is incorrect.

When I installed PHPBB the first time, it simply assigned the database a random password, and now I'm not sure how to access it.

My question is: is there any way I can access the database password so that I can check the one in config.php?

My other question is, if I completely fouled it up beyond repair, is there any way I can create a new database and transfer all of my old members and messages to it?

Thank you so much for your help, and I'm sorry if I posted a repeat question or posted in the wrong thread.

blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Wed Dec 22, 2004 4:48 am

GSM wrote: another question that I has backup my database in to database.sql ....so this file is infected too???


As far as I know, the worm did not touch .sql files. That should be fine.
SailorDonut wrote: My question is: is there any way I can access the database password so that I can check the one in config.php?

My other question is, if I completely fouled it up beyond repair, is there any way I can create a new database and transfer all of my old members and messages to it?


If you run your own server, you can access mySQL as the root user, and create a new user with the proper privileges on the database, then put that username nad password in config.php. If it's not your server, ask the server admin to do this for you. (It's been a while since I looked at a mySQL users table. I don't remember if you can view raw passwords for mySQL users or not. If you can, you could just look up the password by logging in as the root user.)

For your other question, you would need to be able to access the mySQL databases. You would need to do this either by the method I just described, as a user with proper privileges, or if you have filesystem access, you might be able to copy the actual mySQL data files to a safe location, make a new database with a new name, rename the data files, and copy them over the new, empty database files. That might work.

SailorDonut
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 4:18 am

Post by SailorDonut » Wed Dec 22, 2004 4:57 am

blujay wrote: As far as I know, the worm did not touch .sql files. That should be fine.


*nods* That's right, those files (at least, in my exprience) were untouched. Thank you so much for your help, blujay. I will try those; hopefully it will help!

blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Wed Dec 22, 2004 5:02 am

Glad to help. Let me know how it turns out.

SailorDonut
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 4:18 am

Post by SailorDonut » Wed Dec 22, 2004 5:32 am

Okay, creating a new user took care of the password thing, so thank you! :D I have just one more problem. :(

I'm getting an error message that says:
Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in db/mysql4.php on line 330

Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in db/mysql4.php on line 331

phpBB : Critical Error

Could not connect to the database


The lines in "mysql4.php" that it corresponds with are:
$result['message'] = mysql_error($this->db_connect_id);
$result['code'] = mysql_errno($this->db_connect_id);


I'm assuming that this might have to do with the fact that I created a new user...? Any idea on how to help?

Locked

Return to “2.0.x Support Forum”