NeverEverNoSanity worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
User avatar
Gatas Parlament
Registered User
Posts: 3
Joined: Wed Dec 22, 2004 8:23 am
Location: Norway, Oslo, Kampen
Contact:

hellllloooo...

Post by Gatas Parlament »

the worm thing did not happend on our server, but the server of

http://www.bbfreedom.com/

isnt this phpbb the one who have the server..?

can someone moderator here give info?

br

Gatas Parlament
Last edited by Gatas Parlament on Wed Dec 22, 2004 8:19 pm, edited 1 time in total.
For peace and common sense, there is a declaration for al. Human Rights.
User avatar
cubechris
Registered User
Posts: 138
Joined: Fri Aug 13, 2004 9:54 am
Location: Lincoln, UK
Contact:

I

Post by cubechris »

im trying to upgrade fresh, but i keep getting this error

Code: Select all

phpBB : Critical Error

Could not connect to the database
TekFi
Registered User
Posts: 6
Joined: Tue Dec 21, 2004 9:38 pm

Post by TekFi »

Mopat wrote: TekFi

BE WORRIED!

I got up this morning to find my entire site - three domains - affected. Needless to say, I hadn't upgraded PHPbb so this "worm" exploited the loophole and gave the same message throughout my domains... Anyway, the moral of the story is - UPGRADE ASAP.

But did you have this applied before hand:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 ?

The guys above reckon this will hold the worm until I get back home in two weeks, which is the first time I can realistically upgrade.

I hope they are right because this is wrecking my hols. Can someone re-confirm to put my mind at rest or otherwise (please please please)? I'm unsure again now.
User avatar
Gatas Parlament
Registered User
Posts: 3
Joined: Wed Dec 22, 2004 8:23 am
Location: Norway, Oslo, Kampen
Contact:

To you who are the fan of metallica

Post by Gatas Parlament »

these is your link

http://www.metallica-online.co.uk/index1.php

and it includ...??

when did you get it.. do you have the ip

why did you make an copy..

how big is the copy

br

Gatas Parlament

ps..

where have your index file gone..?
For peace and common sense, there is a declaration for al. Human Rights.
kezlehan
Registered User
Posts: 346
Joined: Sat Jul 17, 2004 3:56 pm
Location: Leeds, UK
Contact:

Post by kezlehan »

im just starting my forum again so it doesnt matter, my index got a message saything that it had been defaced so i deleted it, im just uploading 2.0.11 now as im starting again...
FFIndonesia
Registered User
Posts: 164
Joined: Sun Apr 13, 2003 10:49 am
Location: Indonesia
Contact:

Post by FFIndonesia »

Oh ya, guys. Don't you see the number of generation of that sick worm is always increase.... More tough or what? :? :(
Yogya-Earthquake 2006
Almost 4000 people die
Thousands of builiding crashed
User avatar
Redondo
Registered User
Posts: 210
Joined: Sun Dec 08, 2002 2:26 pm
Location: Sweden
Contact:

Post by Redondo »

Correct me if I'm wrong, but all I have to do to recover from this is to replace/overwrite the phpbb-folder with my backup. Is that correct ?
Looking for: FI subice Xmas-pack
www.windsurf.se
cdllt
Registered User
Posts: 42
Joined: Wed Dec 22, 2004 3:01 am

Post by cdllt »

I found this one but not sure it is okie to use for now, hope phpBB support team can comment about it

http://www.phpbbstyles.com/viewtopic.php?t=1904
User avatar
Drexion
Former Team Member
Posts: 8892
Joined: Sat Jan 25, 2003 9:54 pm
Location: City 17

Post by Drexion »

cdllt wrote: I found this one but not sure it is okie to use for now, hope phpBB support team can comment about it

http://www.phpbbstyles.com/viewtopic.php?t=1904

That MOD will prevent malicious users/scripts from taking advantage of the PHP bug via phpBB, but via phpBB alone. So if you have another php script which uses any of those functions (and most do), you will still be vulnerable (unless your host upgrades PHP), as that specific issue lies with PHP and not phpBB. If your host has upgraded PHP then there is no need for that modification.
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

The PHP vulnerabilities, if I'm not mistaken, only came to light a few days ago.


Officially, yes - but I have log entries from November 21 that show someone was already testing aspects of this worm against PHPBB, using the highlight= code. Most vulnerabilities like this get reported to the authors days or weeks before they're publicly announced, so that fixes can be put in place.

But there is a completely separate distribution network for vulnerabilities in the "bad guys" end of the net world...
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

... if you have another php script which uses any of those functions (and most do), you will still be vulnerable ...


It isn't a question about whether or not the functions are used, but how they are used. serialize() and unserialize() shouldn't BE a problem, except that PHPBB uses them against data that has left the server's control. Proper session management would have that information stored on the server, so that the session cookie only refers to it.

Even with trying to maintain compatibility with PHP versions too old to have session management built in, you don't have to expose yourself to this vulnerability. I've got code here that I modified from the book MySQL Cookbook that can put all the session management into a table, and it wouldn't take that much extra to add PHP3-compatible session control to the mix. unserialize() shouldn't have to choke on user input...
jethrek
Registered User
Posts: 17
Joined: Tue Dec 21, 2004 8:24 am

Post by jethrek »

Redondo wrote: Correct me if I'm wrong, but all I have to do to recover from this is to replace/overwrite the phpbb-folder with my backup. Is that correct ?


See this thread:
http://www.phpbb.com/phpBB/viewtopic.php?t=249047
SailorDonut
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 4:18 am

Re: I

Post by SailorDonut »

cubechris wrote: im trying to upgrade fresh, but i keep getting this error

Code: Select all

phpBB : Critical Error

Could not connect to the database


That's what happened to me. Try creating a new user and entering that user's name and password in config.php, and make sure that user has all the proper permissions. For more specific answers, scroll up and read blujay's post in this page and the previous page, they were really helpful.

Hope that's all it is. :)
sneakyimp
Registered User
Posts: 162
Joined: Sat Nov 06, 2004 4:50 am
Contact:

Post by sneakyimp »

for anyone who's interested, i have written a script which attempts to detect backdoor files left by Santy and also detect any admin-level users too.

http://www.phpbb.com/phpBB/viewtopic.php?p=1363529

let me know what you think...how it could be improved, etc.
Skyraider
Registered User
Posts: 89
Joined: Mon May 19, 2003 9:05 pm

Post by Skyraider »

Hope this helps, if it hasn't already been posted:

Symantec's response to Perl.Santy
Locked

Return to “2.0.x Support Forum”