The guy uploads a perl script which is an IRC bot script and it connects to a channel under the cracker's control. From that point, he can execute arbitrary shell commands though a private conversion with the bot. The perl script disguises itself as an apache process. I actually learned a good amount of technique of this guy's perl code.
Unfortunately, I didn't have a decent outbound firewall on the machine and the script was able to get out, nor did I have any intrusion detection software running.
I connected to the channel the bot connects to with XChat and the guy had like 100 Linux zombies in there, all of them he got through the phpBB hack. I talked to him for a while using babelfish because he doesn't speak english. He was using them for massive DDOS attacks. I whoised them all and got the IP address and emailed their ISP or hosting provider. So far I only got two responses and the list of zombies entering the channel is getting ridiculous. The guy booted me and passworded it but I did some research on him and I was able to guess his password (1st try)
Anyway, I have always considered phpBB to be the biggest weak leak on any web server. Even if you keep your PHP and Apache versions totally up to date, something like this could always happen. So, my advice to anyone running phpBB, to get a little added protection:
Add the LIDS kernel patches
Use a stateful outbound firewall that doesn't allow programs to initiate a connection from the machine. For example:
Code: Select all
iptabes -A OUTPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
If anyone else has any added tips that would have rendered the hole in PHPBB useless to a cracker, please post them.